Policy recommendation: Trusted cloud
Ensuring secure and reliable infrastructure
As cloud computing gives rise to powerful new capabilities, it offers the potential to increase productivity and innovation, reduce costs, and drive new levels of security and resiliency. The last two are particularly important, as the ever-increasing connectivity — of both devices and people — has created new ways for malicious actors to attack or commit crime against people. To be effective, our online defenses need to embrace the security advancements offered by cloud computing — from scalability and geographic replication to the use of machine learning and other innovations.
Cloud computing represents a seismic shift from traditional computing — not just in what it enables, but in how it is built, managed and used. To address the risks and threats of the cloud computing era, governments will need to adapt existing security programs and policies and enhance current approaches to ensuring the security and resilience of their systems.
The shift will require not only much closer cooperation with cloud vendors to ensure the security outcomes governments are seeking are met effectively, but also a change in how the regulatory landscape is managed. Sectoral and vertical approaches to critical infrastructures will have to be reassessed, as the technology underpinning them cuts across them horizontally. Moreover, the global nature of security threats will make cross-border partnerships and harmonized legal approaches even more important.
Governments must play a central role in developing, evolving and implementing security policies. Effective approaches will not only increase domestic and global security, but also enable continued innovation, productivity and economic opportunity. Less effective approaches will create heavy operational costs without realizing the intended and much-needed security benefits.
To create efficient policy and regulatory frameworks that ensure secure and reliable services are used, the following steps are recommended:
Establish risk management processes and prioritize efforts. Any regulations that are introduced should be based on a thorough understanding of the threats, vulnerabilities and potential consequences facing the country. In adopting a risk-based approach, governments will recognize that all activities involve some degree of risk and that no organization has unlimited resources to apply to security. The approach will also allow governments to prioritize their security investments on the most important national assets, ensuring that these have sufficient protections in place.
Implement a data classification system for the cloud. Data classification is the process of dividing data into distinct categories based on sensitivity levels and risk profiles, and then articulating the security controls needed for each level to manage risks appropriately. Having a cloud-specific data classification system will help enterprises and government agencies identify both their most sensitive and least sensitive materials and evaluate the costs and benefits of storing varying levels of sensitive materials in the cloud. To the extent possible, governments may adapt existing data classification schemes to data stored in the cloud as evidenced by the approach of the U.K. government’s classification program.
Establish public-private partnerships. Public-private partnerships are a cornerstone of effectively managing security risks in both the short and long term. They are essential for boosting trust among and between the operators and the government. Their focus areas could include coming to an agreement on common cybersecurity baselines; establishing effective coordinating structures and information-sharing processes and protocols; identifying and exchanging ideas, approaches and best practices for improving security; and improving international coordination.
Set baseline security measures for government and critical infrastructures. Security baselines are a foundational set of policies, outcomes, activities, practices and controls that help manage cybersecurity risk. They can take the form of voluntary guidance, coupled with incentives (e.g., procurement requirements or tax subsidies), or be implemented through a mandatory regulatory requirement, in particular where an elevated need for assurance arises from the risk environment. Governments should consider utilizing existing best practices, such as the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, to ensure speedy adoption and international harmonization.
Develop outcomes-focused frameworks. It is essential that any regulations introduced are outcomes-focused, articulating what organizations should aim to achieve (e.g., “control logical access to critical resources”) rather than how organizations should implement security (e.g., “utilize two-factor authentication”). In the rapidly changing world of cybersecurity, prescriptive approaches will quickly become out of date or leave the country out of step with international best practices. Moreover, outcomes- focused approaches allow for variability in the architecture of technology and give the user the flexibility of using whatever best fits their needs.
Develop a common security compliance model for critical information infrastructures. Because every sector of the economy depends on technology, there is a high degree of commonality of the risks and associated controls and policies across the different sectors. Rather than developing minimum security goals and standards for each individual sector, government should seek to harmonize approaches by developing an overarching security compliance model for critical information infrastructures. To ensure specific risks are addressed, governments should also allow individual sectors to establish a smaller subset of additional requirements appropriate for their unique operating environments.
Leverage global standards in national cybersecurity efforts. The threats to cyberspace do not stop at national borders. It is therefore essential that governments adopt approaches for encouraging cybersecurity that acknowledge that reality. National approaches should therefore integrate international standards to the maximum extent possible, keeping the goal of harmonization in mind. Moreover, by leveraging global standards as the basis of their certifications, governments can improve efficiency, lower costs and improve market competition.
Evidence and further reading
Microsoft white paper: Transforming Government: A Cloud Assurance Program Guide
National Institute of Standards and Technology: National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity
EU Policy Blog: Progressing from Padlocks: Securing Industry in the Cloud