Chapter 1: What Is the Cloud?
Chapter 2: The Origins and Evolution of the Cloud and Its Market
Chapter 3: Cloud Security
Chapter 4: Additional Public Policy Issues to Consider
Conclusion: The Cloud in Need of Protection
Appendix A: A Review of Past Cloud-Related Incidents and Key Issues Raised
Appendix B: Abbreviations, Figures, and Tables
The growth of the cloud has been truly astonishing. In less than fifteen years, it has become part of everyday life and casual conversations about moving photos and other data into the cloud. Omnipresent advertisements at airports, on buses, and on websites further embed the term in society's collective consciousness. Tech companies report multiple billions of dollars in revenues, increasingly driven by their cloud businesses. Even the Pentagon is betting on the cloud with its $10 billion Joint Enterprise Defense Infrastructure (JEDI) contract. By 2020, the overall cloud services market is expected to be $266.4 billion, a 17 percent increase compared to 2019.
The coronavirus pandemic has revealed how important the cloud is for bolstering societal resilience. According to a March 2020 Business Insider article, one expert projected that more than half (55 percent) of workloads would be migrated to the cloud by 2022 compared to 33 percent now; he claimed that these projections "now look conservative as these targets could be reached a full year ahead of expectations given [the current] pace." In the wake of the pandemic's initial outbreak and the accompanying move to telework, previously cautious executives started seeing migration to the cloud as an urgent necessity.
As businesses increasingly rely on cloud services, the role of the huge cloud service providers (CSPs) has received greater scrutiny. Calls for regulating CSPs have been growing amid concerns about the systemic risk of businesses' move to the cloud. For example, a 2018 report estimates that a three-to-six-day outage of a major CSP would cause economic losses up to $15 billion.
However, the debate about cloud security remains vague and the public policy implications poorly understood. This starts with the question: what is the cloud? Most of the debate is about the public cloud, and the short answer is "cloud computing is really just a fancy name for someone else's computer," as Rob Joyce, then chief of the Tailored Access Operations at the U.S. National Security Agency, explained in 2016.
Thinking through the public policy implications, the image of a cloud obscures as much as it explains. A more nuanced picture emerges when the cloud is considered in terms of its layers-from the physical data centers and network cabling that form its foundation to the virtual software environments and applications that everyday users interact with. Yet a more technical understanding will only go so far. An appreciation of the multibillion-dollar marketplace for cloud services is also required.
What makes the public cloud interesting is that the thousands of "someone else's computers" that compose it are concentrated in the hands of a few CSPs. Amazon Web Services (AWS), Microsoft Azure, and Google Cloud are known as hyperscale CSPs with firms like Alibaba Cloud and Tencent playing a similar role in China. As cloud services have grown, a few vast enterprises built on the backs of these tech giants, in their U.S. and Chinese variants, have secured most of this lucrative market.
Protecting this new, highly complex infrastructure is a herculean task, one enabled by the size and accumulated talent of the major cloud providers but also potentially imperiled by their growing importance for critical industries. When thinking about cloud security from a public policy perspective, the need to address an existing public policy problem must be further differentiated from the need to address an emerging public policy problem. The existing problem is the rising cost of cyber attacks and the reality that most organizations-governments and companies-cannot effectively protect themselves. Very few organizations can rival the security teams of the major CSPs and are therefore better off entrusting their security to these external firms' security teams. The emerging problem is the systemic risk associated with a centralized approach.
Overall, cloud security is a nascent policy area, particularly for policymakers concerned about potential systemic risk. As policymakers consider risks associated with the cloud, it will be important for them to connect threats to impacts. This is a difficult task due to the variance in potential impact depending on the data and services at risk. Furthermore, any potential regulations will have to balance other public policy interest areas such as data governance, geopolitics, and antitrust policy.
This primer provides an overview of the cloud and its security dimensions covering the basics of some of the most pressing questions for policymakers and technologists today. In many cases, this paper is only a starting point highlighting the need for further study. To avoid recreating an insecure cyberspace in the cloud, further study on such topics should be an urgent priority. This primer specifically adds value by offering (1) a conceptualization of the layers of the cloud services' architecture in table 1 on page 9, (2) an overview of the evolution of the cloud marketplace in chapter 2 starting on page 10, (3) a timeline of key cloud security incidents in table 5 on page 25, (4) a mapping of potential cloud security threat vectors to their impacts from a technical perspective in figure 5 on page 30, and (5) a framework for assessing the severity of cloud security incidents based on their impact in table 6 on page 37.