Gartner Blog Network

Is ‘the cloud’ part of our critical infrastructure?

by Jay Heiser  |  February 10, 2011  |  2 Comments

Mark Twain’s fictional detective Pudd’nhead Wilson suggested “Put all your eggs in one basket, and watch that basket!”

Concentration creates opportunities for leverage, for both defenders and attackers.  The decision of whether to concentrate your forces, or to split them up, is a classic military one.  Not every approach is relevant for every situation.  The infosec field has spent years debating the monoculture issue, asking whether the Internet has sufficient genetic diversity to ensure that entire virtual fields don’t fall over simultaneously. Those discussions need to be revisited in the context of cloud computing.

Greater concentration of customers and data in cloud-based services will lead to an overall higher level of protection, but when failures do occur, they could potentially result in huge levels of damage.  When organizations assess the risk of using any particular XaaS offering, they are only concerned about the impact of a security failure or data loss on their own organization.  This level of self-concern is understandable, but it leaves unaddressed a more profound and abstract question, “What would be the social/economic/national/global impact of an incident that affected all the customers of a major provider?”

The US Federal government is in the process of finishing what will likely be the most thorough form of cloud service risk analysis yet devised.  Although FedRAMP risk assessment information will be shared between agencies, each will perform an assessment that only takes into account the risk to their own agency.  The latest FedRAMP draft omits the question “what would be the impact on the entire government of a failure affecting all the customers of a widely-used service?”  Some of the services that will be offered to the Feds are going to be offered from semi-private clouds, limited just to other government agencies.

Cloud Service Providers have astronomical expectations encompassing millions of customers and petabytes of data. The greater their success, the more they must be considered as a form of ‘critical infrastructure’.  Is the security and reliability of these offerings a legitimate public policy concern?

Category: cloud-computing  risk-management  security  strategic-planning  

Tags: cloud-computing  cloud-disaster  cloud-regulation  cloud-security  critical-infrastructure  disaster-recovery  national-security  public-policy  security  

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Thoughts on Is ‘the cloud’ part of our critical infrastructure?

  1. […] This post was mentioned on Twitter by Netspective, Toshio Matsuda. Toshio Matsuda said: [Gartner] Is ‘the cloud’ part of our critical infrastructure?: “What would be the social/economic/national/globa… […]

  2. Typically when systems fall over you can trace it back to a resource skill or management decision making problem. With cloud computing you provide your infrastructure in the service which means that, for services that would ordinarily run off many different environments under classic application installation terms (I.E. the application runs off a single application server normally on its own box), the services would now run off of this single cloud environment. Because it is run off the single environment it means a more specialization of skill in a more focused place which, hopefully, would result in the reduction of a risk of the catastrophic knock on down time that you described here. Is it really accurate to measure cloud service and risk against a traditional measurement or does cloud introduce new aspects to service risk?

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.