Enabling modernization through clear, effective cloud governance
As a strong supporter of the recent U.S. National Cybersecurity Strategy , Microsoft aims to be a partner in realizing its many objectives, but we believe modernization is one of the most foundational. As EO 14028: Improving the Nation’s Cybersecurity also recognizes, modernization through well-managed adoption of cloud services is critical to rapidly enhancing security and resiliency. So much more can be secure by design and by default by moving to the cloud.
While recognizing the cloud’s benefits and the need to accelerate the migration of legacy government systems, the Strategy also aims to address three cloud governance concerns. The first is how essential cloud services are to critical infrastructure resilience. The second is the balance and implementation of security responsibilities among providers and users of technology, including cloud services. The third is how malicious cyber actors abuse cloud infrastructure.
Modernization and cloud governance efforts must be pursued in synchrony.
If two urgent goals are perceived to be in conflict, then uncertainty and stagnation can result. But efforts to both foster well-managed cloud adoption and address cloud security concerns do not need to be at odds; in fact, they can’t be to fully realize the Administration’s Strategy. Clear, effective, and streamlined governance must enable modernization by ensuring that a high common baseline strengthens trust in the cloud as well as security outcomes among governments and critical infrastructure. Alternatively, ineffective cloud governance efforts could raise the costs of cloud services and reduce security.
Recognizing the interconnection between modernization and governance objectives means that both can be, and should be, pursued jointly and in coordination. How to do so is more complex. There’s a need for consistency and coherence across government efforts to address all three concerns as enable modernization, including by improving programs like FedRAMP.
Building from current tools and gaps can support implementation of these complementary objectives.
Effective product design requires vision and strategy; likewise, integrated cloud governance and modernization efforts require deeply understanding goals, challenges, and the tools and gaps we have today. Getting precise about where we need to build something new or improve what already exists can help us refine our understanding of goals and challenges.
There are several useful starting points for cloud governance and modernization, including FedRAMP. To strengthen assurance in cloud resiliency, we can assess FedRAMP’s family of contingency planning controls and any persistent or emerging gaps. To facilitate appropriate implementation of cloud security responsibilities, FedRAMP’s Customer Responsibility Matrix could also be built upon to clarify responsibilities across different service models and help identify where providers could commonly take more responsibility.
领英推荐
Ultimately, any new cloud security or resiliency requirements should be risk based and unified across sectors, allow cloud providers to be agile in defending against evolving threats, and clarify security responsibilities among providers and users. We will also need a modern, scalable approach to verifying conformance with updated requirements – as well as ongoing iteration to get the requirements and conformance processes right.
As the Strategy also highlights, deterring and mitigating cloud abuse can likewise start from EO 13984 , including its approach to incentivizing best practices that inhibit agile threat actors. We need to define practices that drive down the creation and impact of fraudulent accounts; recognize how operators find and expel threat actors, whether they’re abusing purchased or compromised accounts; and advance information sharing partnerships.
Investing in the improvement of existing tools like FedRAMP means that we concurrently make progress on our interconnected modernization and governance goals. We enhance the security outcomes of the program designed to accelerate well-managed adoption of cloud services among Federal agencies.
Alternatively, we risk fractured security requirements that are implemented inconsistently across cloud service providers and users – and worse, such as a less innovative environment in which smaller cloud providers and their compliance shops struggle with lack of clarity and integration. Existing integration challenges, including with FedRAMP and EO 14028, may also be compounded by separate and inconsistent approaches among Federal authorities and regulated sectors.
Implementation of a cohesive approach and iterative improvement is what will ultimately matter most.
The Strategy also recognizes this, and we look forward to the forthcoming Implementation Plan and opportunities to engage on next steps. We believe that structures and processes that facilitate close cooperation across government and industry partners are critical to enabling us to make quick, effective adjustments as we refine a governance approach and learn together.
Our cybersecurity future in what the Strategy calls “this decisive decade” depends on acting quickly and without compromising on collaboration. Ensuring the cloud industry adheres to a high common baseline is a critical foundation not only for trust, cloud adoption, and resiliency but also for the next wave of AI advancements that will rebalance our security equation in favor of defenders.
Experienced Technology Professional with a Passion for Innovation Decotechs - Hanker
1 年As information security continues to evolve, it is imperative that we become more agile in defending against ever-evolving threats.
Zscaler | Fmr CISA - Zero Trust Director | CCIEx2, MS-IST, CISSP
1 年??”Ensuring the cloud industry adheres to a high common baseline is a critical foundation not only for trust, cloud adoption, and resiliency but also for the next wave of AI advancements that will rebalance our security equation in favor of defenders.” ??