Mark Twain’s fictional detective Pudd’nhead Wilson suggested “Put all your eggs in one basket, and watch that basket!”
Concentration creates opportunities for leverage, for both defenders and attackers. The decision of whether to concentrate your forces, or to split them up, is a classic military one. Not every approach is relevant for every situation. The infosec field has spent years debating the monoculture issue, asking whether the Internet has sufficient genetic diversity to ensure that entire virtual fields don’t fall over simultaneously. Those discussions need to be revisited in the context of cloud computing.
Greater concentration of customers and data in cloud-based services will lead to an overall higher level of protection, but when failures do occur, they could potentially result in huge levels of damage. When organizations assess the risk of using any particular XaaS offering, they are only concerned about the impact of a security failure or data loss on their own organization. This level of self-concern is understandable, but it leaves unaddressed a more profound and abstract question, “What would be the social/economic/national/global impact of an incident that affected all the customers of a major provider?”
The US Federal government is in the process of finishing what will likely be the most thorough form of cloud service risk analysis yet devised. Although FedRAMP risk assessment information will be shared between agencies, each will perform an assessment that only takes into account the risk to their own agency. The latest FedRAMP draft omits the question “what would be the impact on the entire government of a failure affecting all the customers of a widely-used service?” Some of the services that will be offered to the Feds are going to be offered from semi-private clouds, limited just to other government agencies.
Cloud Service Providers have astronomical expectations encompassing millions of customers and petabytes of data. The greater their success, the more they must be considered as a form of ‘critical infrastructure’. Is the security and reliability of these offerings a legitimate public policy concern?
Category: cloud-computing risk-management security strategic-planning
Tags: cloud-computing cloud-disaster cloud-regulation cloud-security critical-infrastructure disaster-recovery national-security public-policy security
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.