The cloud is critical infrastructure – here's what that really means

  • Policy has not kept pace with how essential cloud computing has become to critical systems.

  • Cloud attacks, such as SolarWinds, aren't the only threat as evidenced by the wildfires on Maui.

  • Regulators and cloud companies need to work together to make reasonable rules.

The increasing reliance of critical infrastructure on cloud computing means government and corporate policies must change to manage emerging risks, including wildfires and other natural disasters, according to think tank Atlantic Council's research arm Digital Forensic Research Lab (DFRLab).

For sure cloud computing's benefits, such as cost savings, scalability and outsourced management of infrastructure, security and availability have led to rapid adoption. But DFRLab warns that policy has not kept pace with how essential cloud computing has become to the functioning of critical systems.

In particular, the brains at the lab think its high time the industry focuses on five critical infrastructure sectors: Healthcare, transportation and logistics, energy, defense and financial services. Otherwise, businesses and individuals face the potential of disaster not just for technology security but also for safety and security.

"Cloud service providers are critical infrastructure with weaknesses that threaten our national security, public health and financial institutions, and they are currently self-regulated by engineers and leaders without an understanding of the responsibility and accountability that implies," Shane Miller, Atlantic Council senior fellow and former Amazon Web Services (AWS) engineering leader, said. "Business risk decisions are based on the history and experience of people focused on shiny features, cost containment and time to market."

Looming cloud threats

Cloud attacks such as the SolarWinds hack, in which the Russian government-affiliated Cozy Bear hackers compromised Microsoft Azure’s Identity and Access Management (IAM) services, are only going to become more common — in fact, they already have.

Recently Chinese hackers cracked Microsoft Azure's e-mail cloud system and far more. Microsoft revealed a group they've labeled Storm-0558 gained access to email accounts affecting approximately 25 organizations in the public cloud, including government agencies as well as related consumer accounts.

Further investigation into the hack revealed a compromised private encryption key (MSA key) was used not just to forge access tokens for Outlook Web Access (OWA) and Outlook.com, but it "could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support the 'login with Microsoft' functionality and multi-tenant applications in certain conditions," Shir Tamari, head of research at cloud security company Wiz, told Silverlinings.

This kind of trouble is far from just a tech issue. Behind it is a business-focused decision framework that results in failures like the breach of U.S. Ambassador to China Nicholas Burns’ email, said Miller.

Miller said she "absolutely support[s] the policy recommendations from the Atlantic Council’s Cyber Statecraft Initiative to (1) systematically evaluate cloud computing use in critical sectors, (2) survey and update cloud policies and resources and (3) develop a structure for cross-sector cloud risk oversight, and I recommend urgency in achieving them."

Making these issues even more urgent, according to the DFRLab, are two elements — compounded dependence and delegated control and visibility — which differ from previous computing paradigms.

The former refers to widespread cloud adoption causing a range of organizations to depend upon a few shared technology systems. The latter describes how organizations adopting cloud services cede control of and lose visibility into their systems' operations and failure modes.

Guarding the cloud

DFRLab has three recommendations on how to solve these major cloud security challenges.

First, regulators need more information about cloud providers than they currently have, and how their agencies use these cloud services. Until they have this information, they can't make informed decisions about their systemic cloud-related risk.

Then, they must update cloud policies, rules and regulations with that information. For example, today, in healthcare, cloud medical records are governed by the Health Insurance Portability and Accountability Act (HIPAA), which sets a patient data confidentiality standard.

However, DFRLab said there need to be more such laws and they also must be written for the cloud world. After all, many existing regulations don't give regulators the right to examine cloud providers directly. Others use ill-designed language that fails in requiring sector cloud customers to obtain necessary cloud system assurances.

Take, for instance, the brand new SEC cybersecurity rule. The rule requires companies to reveal significant security incidents in outside clouds. These days, though, it's almost certainly going to involve cloud services.

Plus, the rule's four-day disclosure window is simply too short, according to Craig Burland, CISO of the cyber-security firm Inversion6. "First, they have to determine if the cyber event was an incident – data was lost, business was disrupted, etc. Finding sufficient evidence to prove loss takes time. Second, the impact has to be material. For large corporations, this is a high bar that very few incidents would eclipse," he said.

The SEC's intention is good, but it's not technically feasible. Regulators and cloud companies need to work together to make reasonable rules, he added.

Finally, the policymakers also need the data to understand complex webs of interdependencies that create risks in the cloud environment. This is more than just hybrid and multi-cloud issues. it means understanding how some components, such as IAM or resource allocation services, are cloud failure points. Losing, say, access to word processing services is bad, but losing IAM means everything is endangered.

Indeed, cloud security is no longer just about the security of services. It's about the durability of the infrastructure underpinning fundamental economic and political activities. For policymakers, major changes must be made before a cloud security problem becomes a problem for everyone.