Better to Be Realistic About the Security Opportunities of Cloud Computing

Trey Herr
Tuesday, March 17, 2020, 3:36 PM

How to map a more effective security strategy for cloud computing.

Published by The Lawfare Institute
in Cooperation With
Brookings

Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.

Cloud computing is championed by some as the way to secure smaller and medium-sized enterprises, state and local governments, and individuals. While very little marketing material says outright that cloud computing will solve an organization’s security problems, the general implication is that shifting computing workloads into the cloud will address complex security challenges for the user and is a net positive.

The reality is that cloud computing is not a security panacea. The challenge for policymakers is that for all the promise and pitfalls of cloud computing in the abstract, the security capabilities of cloud providers vary wildly in practice.

Cloud services can remove administrative burdens, harness the data of millions of users to provide better security, and offer services to enforce more effective security behavior. However, moving workloads and data to the cloud does not eliminate implicit security problems and it creates some new ones. Much like the internet amplifies the good and bad of our pre-networked selves, organizations bring to the cloud many of the same security problems they had on-premises. Adopting cloud services brings new management challenges and requires security capacity on the part of adopting organizations to make it work (or recover from failure when it doesn’t).

Cloud computing can be a lower cost alternative to on-premises information technology at comparable levels of security. The most successful segment of the cloud market, Infrastructure as a Service (IaaS), comes closest to mimicking traditional IT deployments. Cloud providers consolidate the physical security and plant management needed to keep data centers operating. They may offer well-integrated tools to manage credentials and security tokens and help reduce the effort required to manage incident detection and response programs.

Platform as a Service (PaaS) offerings are a more complex kettle, with trends toward containerization and “serverless” computing handing even more control and administrative responsibility over to cloud providers. This can produce benefits, hyper-cost-efficient services and novel offerings like confidential computing, which allows data to remain encrypted while being handled by a provider. PaaS presents new challenges as well. “Serverless” in particular offers organizations a new way of organizing their digital resources, creating new headaches in how to secure data, authenticate users and control access to sensitive resources. Users are relinquishing ever more control over security design and operational decisions in exchange for cost efficiencies, less administrative responsibility and potential security benefits.

The U.S. strategy to secure cloud computing is incomplete and, unless there is a shift in regulatory thinking, the push for cloud computing as a solution to security shortfalls in small and medium-sized organizations will only produce more risk. Policies need to reflect the fact that cloud is not a panacea for security—it offers opportunities for large and small enterprises but also serious pitfalls—and should address the disparity in different cloud providers’ security capabilities. Successful efforts will produce certifications and security schemes that are sensitive to the presence of different kinds of infrastructure underneath a cloud service, are quickly adaptable to new features and new threats, and account for the need to manage complexity and not just increase it.

While companies like Microsoft and Google can afford to maintain specialized security and threat intelligence teams and Amazon has engineered its own technical solutions to particular security risks, like the Nitro hypervisor system, size is no guarantee of success. Amazon’s popular S3 data storage service is regularly plagued by compromised credentials, and a former employee with knowledge of the firm’s cloud infrastructure was responsible for a massive breach of Capital One’s customer records in 2019. Smaller vendors face the challenge of playing against the same adversaries as hyperscale providers (Microsoft, Amazon, Google and Alibaba) with far fewer resources. Smaller firms also have access to less data derived from their customers—a key resource for cloud providers to learn about attacks on their services and stop them more effectively.

The situation is further complicated by overlapping regulatory requirements in the United States, European Union, and globally that require security time and talent be devoted to complying with outdated requirements rather than optimizing to current security challenges. The U.S. government’s regulatory approach to cloud computing security is focused largely on risk management of the infrastructure itself, with some consideration for services, and little attention paid to the disparities in security capability between providers. The FedRAMP program provides a framework to authorize cloud services for use by federal agencies and departments. Based on security controls assembled by the boffins at the National Institute of Standards and Technology, FedRAMP is a slow security certification process that has evolved to distinguish different cloud service models but remains hamstrung by outdated federal IT security legislation like the Federal Information Security Management Act. FedRAMP as a whole is improving but is far outstripped by the pace of evolving commercial cloud services market, lags federal cloud adoption, and is ultimately bound to a risk management framework that has been adapted to cloud rather than created for it.

European efforts on cloud security have been limited to national policies, but a working group is underway to build a European Cloud Certification. The content of the certification and its focus are still uncertain. In an ideal world, any new entries to the regulatory landscape would work to fill holes in current standards and policy—addressing gaps in standards for cloud providers’ supply chain security, inconsistencies in national approaches to sharing security and incident response data, or leveling up the weakest security performers in the cloud industry. Dan Geer and Wade Baker published a short but insightful piece in late 2019, discussing the relative security performance of organizations operating their own computing infrastructure (on-premises) as opposed to those relying on a cloud services vendor. Their conclusion offered support for the thesis that cloud computing is not a panacea for security and gave a narrow but valuable view into the variable security performance of different cloud firms and the cloud as a general model versus on-premises infrastructure.

Cloud computing is an increasingly important domain of technology development and use. Its growth from academic research project to commercial technologies with billions of dollars in sales has commoditized computing capacity, storage, and networking bandwidth and led to a new generation of data-intensive startups. The security of these services as well as the security benefits they might offer organizations are not without cost and bring new challenges. Wherever the renewed debate on cloud computing security in the U.S. goes, it must account for the rapidly changing architecture of cloud services and the flexibility with which new services are created and modified along with the variable security capability of cloud providers. Transparency is an important tool to drive this flexibility with users and regulators and should encourage a more informed marketplace of cloud consumers. Cloud computing isn’t a magic wand, but it provides a new set of tools to organizations and policymakers. Building (and rebuilding) policies to complement these tools will be a long but worthwhile effort.


Trey Herr is Assistant Professor of cybersecurity and policy at American University’s School of International Service and director of the Cyber Statecraft Initiative at the Atlantic Council. At the Council his team works on the role of the technology industry in geopolitics, cyber conflict, the security of the internet, cyber safety and growing a more capable cybersecurity policy workforce.

Subscribe to Lawfare