As they move increasingly critical workloads onto the cloud, both governments and enterprise cloud customers seek high levels of trust in the security and availability of their cloud services. Certification programs seek to address these demands by requiring cloud providers or individual cloud services to meet certain technical and assurance criteria. Certifications can differ dramatically in scope and sector. Some, like FedRAMP,1 are designed to ensure the security of cloud services used across the U.S. federal government. Others are more narrowly tailored to provide assurance for especially critical or sensitive functions in key sectors. Certification programs can also be used to increase customer confidence in the nonsecurity qualities of cloud services, such as their environmental impact. However, certifications are not a panacea, and many stakeholders see existing certifications as insufficient to address their concerns about the security and robustness of cloud services. This section explores the key challenges associated with designing, improving, and implementing cloud certification programs.
Key Considerations
Overfocused on cybersecurity. Certification programs are regularly designed to increase customer confidence in the cybersecurity of cloud systems, but often neglect to account for the threats posed by nonmalicious triggers of failure, such as natural disasters, human error, and technical malfunctions. This may lead regulators and customers to be overconfident in the security and robustness of cloud systems and take for granted cloud providers’ efforts to address these concerns on their own.
Impact on agile tech development. Certification schemes may be resource- and time-intensive for the entities processing the certification as well as for the providers undergoing the assessment, as they require both initial as well as continuous monitoring processes, coordination between government representatives or other third-party auditors, subject-matter and technical expertise, and so on.2 These requirements and processes also risk delaying the delivery of new products and services, as these must also undergo certification.
Limited government capabilities. Governments struggle to audit cloud services and operations because such auditing is resource-intensive. Moreover, the rapid pace of innovation in cloud services makes it challenging for the government to keep up, since the greatest expertise lies with those involved in developing and operating the technology.
Regulatory redundancies and inconsistencies. Harmonizing certification requirements is essential to prevent regulatory redundancies, inconsistencies, and fragmentation across regions and sectors. Moreover, though there is a desire to be able to use existing certifications as evidence of reliable security practices when seeking certifications in other sectors or jurisdictions, the requirements in one sector’s program may not map onto those of another. Greater consistency across jurisdictions and functions would reduce regulatory compliance burdens for cloud providers and customers.
Unclear roles and responsibilities. Roles and responsibilities may be unclearly or inconsistently divided between auditing entities (for example, government agency representatives and third-party or corporate auditors). This may lead to inconsistencies in the way providers are assessed for compliance with certification requirements.
Stakeholder Perspectives
Are struggling to find ways to enhance surety of the cloud services on which critical sectors, such as finance, depend.
Seek a greater role in developing certifications for public cloud services.
Have a general interest in assurance programs and processes that are consistent with agile tech and business development, are universally applied across providers, avoid redundancy, and are risk-based and outcome-focused.
Welcome arrangements, such as certification programs, that enable them to understand cloud risks and assess providers’ security and robustness in order to ensure the protection of privacy and continuation of service under duress.3
Enterprise Customers: Seek to leverage cloud certifications to meet their own compliance and transparency requirements.
Tensions with Other Cloud Governance Issues
Effects of Cloud Market Concentration: Stringent security requirements and the associated compliance costs could increase barriers to market entry for nascent providers.
Environmental, Community, and Energy Market Impact:While certification programs can be used to drive progress on nonsecurity issues, such as the environmental sustainability of cloud services, such programs may raise similar challenges as security-focused programs. Moreover, certain elements of a security or robustness-focused certification program, such as maintaining redundant infrastructure in order to guard against the possibility of natural disaster-induced outages, could conflict with sustainability goals, which generally involve minimizing the physical presence and carbon footprint of the cloud.
Potential Ways Ahead
Improve communications channels between government and industry to provide feedback on and refine existing certifications processes by identifying areas in need of adjustment. These include a clear delineation of roles and responsibilities among auditing entities, irregularities in risk assessment, and validation across authorizers. (Shared with Cloud Providers.)
Work with cloud providers and enterprise customers to define high-level performance-based requirements and metrics for confidentiality, integrity, and availability of cloud services. These can differ based on the types of cloud service offered (such as storage, virtualization, and so on) and sectoral criticality. (Shared with Providers and Enterprise Customers.)
Distinguish between requirements for less and more sensitive government workloads and align certification criteria with those requirements.
Make audits of performance/compliance public or mandate provider’s transparency on performance.
Improve communications channels between government and industry to provide feedback on and refine existing certifications processes by identifying areas in need of adjustment. These include a clear delineation of roles and responsibilities among auditing entities, irregularities in risk assessment, and validation across authorizers. (Shared with Governments.)
Work with governments and enterprise customers to define high-level performance-based requirements and metrics for confidentiality, integrity, and availability of cloud services. These can differ based on the types of cloud service offered (such as storage, virtualization, and so on) and sectoral criticality. (Shared with Governments and Enterprise Customers.)
Help customers understand their new or potentially modified responsibilities under future performance-based certifications.
Work with governments and cloud providers and customers to define high-level performance-based requirements and metrics for confidentiality, integrity, and availability of cloud services. These can differ based on the types of cloud service offered (such as storage, virtualization, and so on) and sectoral criticality. (Shared with Governments and Cloud Providers.)
International standard setting bodies: Lay out high-level best practices for increasing the consistency of certification requirements across sectors and functions.
2 For example, please refer to the FedRAMP program in the US (See: FedRAMP, “Cloud Service Providers,” FedRAMP, n.d., https://www.fedramp.gov/cloud-service-providers/.), and the ISMAP program being developed in Japan (See: Government of Japan, “Operation of the Information System Security Management and Assessment Program (ISMAP) Starts,” Government of Japan, Ministry of Economy, Trade and Industry, June 3, 2020, https://www.meti.go.jp/english/press/2020/0603_001.html.).
3 Excessive compliance costs borne by providers may have undesirable impacts on the providers’ ability to leverage security telemetry for the early detection of abnormalities and cyber threats (which is a particular benefit of hyperscale providers).