A report by the Atlantic Council’s Cyber Statecraft Initiative under the Digital Forensic Research Lab has identified compounded dependence and delegated control and visibility as two risk factors that should inform the design of a national cloud risk management policy for critical infrastructure sectors.
Compounded dependence emerges when widespread adoption of cloud service offerings prompts organizations to rely on a few technology systems, while delegated control and visibility can create risks when cloud services adopters lose visibility into the operations of technology systems, according to the report published Monday.
Maia Hamin, associate director at the Cyber Statecraft Initiative, told Nextgov/FCW that challenges with the two risk factors are rising as organizations move to outsource major components of their risk management initiatives to cloud service providers.
“Because there are so few cloud providers and services are interlinked through complex webs of dependencies, one outage or compromise could impact a host of organizations at a time, making the risks of compounded or interlinked failure more acute,” Hamin added.
The report calls for the establishment of cloud management offices within sector risk management agencies to help improve cloud visibility within critical infrastructure sectors.
The document also comes with three policy recommendations, the first being the need to systematically assess cloud computing use in critical sectors.
The two other recommendations are surveying and updating cloud policies and resources and developing a structure for cross-sector cloud risk oversight.