Policy makers must do more to address the growing vulnerability critical infrastructure sectors face due to their increasing reliance on cloud computing, urges a new report from the Atlantic Council.
The report points out that the cloud has already allowed malicious actors to spy on government agencies, pointing to the 2020 Sunburst attack in which cloud products, especially Microsoft Azure identity and access management services, were compromised.
The authors propose key reforms to strengthen defenses, including establishing a cloud management office that proactively reviews cloud dependency. Such reforms would better position existing industry risk management agencies to work with CISA to measure and respond to risk.
The report also recommends that Congress create a task force modeled after the groundbreaking Cyberspace Solarium Commission to design a security agency to specifically protect cloud infrastructure.
Government policy is still set to assess the security of a cloud product, not the underlying infrastructure, Maia Hamin, co-author of the report and associate director of the Atlantic Council’s Cyber ​​Statecraft Initiative, said in an email. This is a concern as more and more traditional infrastructure things like energy and healthcare rely on cloud computing.
The report argues that the ubiquity of the cloud, driven by its cost savings, scalability and ability to outsource infrastructure security, overshadows the fact that politics has fallen dramatically behind in reckoning with how essential it is. cloud computing for the functioning of the most critical systems and in the development of safeguards commensurate with that new centrality.
In addition to the Sunburst hack, the report points to weakness in software systems, citing a 2019 Google cloud outage that resulted in decreased hours for services like YouTube and Snapchat.
It argues that cloud infrastructure is vital to national security, national economic security, and national public health and safety, and as a result must be treated more seriously by policy makers as there is a real potential for the cloud to be compromised or disrupted to disable critical infrastructure services.
Two characteristics that increase the risk of cloud computing, compared to previous on-premise systems, should inform how a national cloud risk management policy is constructed, the report argues. Due to the spread of cloud adoption, the report says, a wide range of organizations rely on a few shared cornerstone technology systems, including unattractive subsystems within the cloud, where failure of one node could precipitate a collapse. cascade.
Separately, because control and visibility into organizations’ cloud infrastructure are inherently delegated, such organizations lose visibility into the operations and failure modes of their cloud systems, the report argues.
It’s time to address the fact that the cloud may have already become critical based on the metrics used by policymakers when assessing whether a system needs oversight to ensure its resilience, the report concludes. As more and more entities adopt the cloud, and as more of the core infrastructure of systems like the Internet relies on it, this dependency and the systemic nature of the risks that come with it will only increase.
Registered future
Cloud intelligence.
Learn more.
Suzanne Smalley
Suzanne Smalley is a privacy, disinformation, and cybersecurity policy reporter for The Record. She previously was a cybersecurity reporter at CyberScoop and Reuters. Early in her career Suzanne covered the Boston Police Department for the Boston Globe and two rounds of presidential campaigns for Newsweek. She lives in Washington with her husband and three children.
#Policy #makers #face #cloud #insecurity #warns #report
Image Source : therecord.media
