Despite the increasing adoption of cloud technologies, many agencies and organizations struggle to adequately secure their systems and federal networks. The report highlights challenges related to compounded risk and delegated control and visibility, as organizations increasingly rely on cloud service providers (CSPs) for risk management. This reliance requires trust in the security and resilience promised by CSPs, as a single outage or compromise could impact multiple organizations simultaneously.
The report identifies two key risks linked to cloud technologies: compounded risk and delegated control and visibility. Compounded risk arises when multiple cloud services are used, creating a complex infrastructure that increases the likelihood of security breaches. Delegated control and visibility pose risks when cloud service users have limited insights into the underlying infrastructure and lack direct control over critical security matters.
While cloud computing offers efficiency and scalability benefits, adopting organizations often face risks due to misunderstandings about their reduced responsibilities and how traditional models apply to the cloud, explained Maia Hamin, associate director at the Cyber Statecraft Initiative.
The report highlights the increasing adoption of cloud computing across critical infrastructure sectors. For example, the healthcare sector, which spent over $28 billion on cloud computing technologies in 2020, is projected to spend nearly $65 billion annually by 2025. Major organizations in transportation, logistics, and defense have also initiated cloud transitions.
However, the defense sector lags behind in adopting cloud technologies due to stringent security requirements. The Navy stands out as the primary adopter of cloud computing within the U.S. military, transitioning critical management tools for hundreds of ships and aircraft to the cloud in 2020. Defense contractors, like Boeing, have also started integrating cloud deployments with their on-premises infrastructure.
Despite the increasing adoption of cloud technologies, many agencies and organizations struggle to adequately secure their systems and federal networks. The report highlights challenges related to compounded risk and delegated control and visibility, as organizations increasingly rely on cloud service providers (CSPs) for risk management. This reliance requires trust in the security and resilience promised by CSPs, as a single outage or compromise could impact multiple organizations simultaneously.
To address these issues, the report calls for the establishment of cloud management offices within sector risk management agencies such as the Department of Homeland Security, the Environmental Protection Agency, and the Department of Energy. These offices would evaluate sector dependence on cloud technologies, define best practices, and identify unique risk points specific to critical infrastructure and its cloud requirements.
Furthermore, the report encourages organizations to systematically evaluate their use of cloud computing and urges the Cybersecurity and Infrastructure Agency to facilitate the adoption of frameworks and best practices for organizations working with CSPs.
Hamin emphasizes the need for close collaboration between the federal government and major CSPs to understand and effectively manage the risks associated with cloud computing, which underpins much of our digital world today.