But the cloud trust question won’t go away, because it is central to the core task of government. Governments are willing to go to great lengths to gain access to secure cloud environments, as evidenced by the US DoD’s 10 billion dollar mega-procurement or the Franco-German Gaia X initiative to build a trustworthy European cloud federation.
To understand “trust”, we need to break this phrase down into components:
Governments have been trying to solve cloud trust problems using certification and risk-management frameworks. These have helped raise cloud services’ focus on security and clear a pathway through bureaucracy, but they don’t fundamentally change the dynamics of cloud trust.
A case in point is the FedRAMP program, which (to its credit) has driven US federal government cloud adoption, including for SaaS. But FedRAMP imposes serious obstacles: certification takes 12-18 months to achieve and is so costly that many categories simply lack certified options, data is held in the US and many providers impose nationality restrictions on their employees. That makes a similar program almost impossible to replicate in smaller countries without the depth of the US domestic cloud market (basically everyone bar, perhaps, China).
Furthermore, a recent Government Accountability Office report found that even FedRAMP has failed to keep up with the dynamic nature of cloud. Reacting to the report, a group of former US officials have laid out a vision to move US government cloud security to continuous, incremental and automated monitoring.
It’s these kinds of visions for continuous monitoring and security automation that led Guardtime to join Verizon in building Machine State Integrity (MSI):
MSI provides a fundamental paradigm shift in every area of cloud trust because it solves the problem that the cloud is “somebody else’s computer.” Through continuous state awareness and monitoring, MSI gives cloud users a level of control and insight into their data and what is happening with it equal to holding it on-premise. MSI creates a new architecture of trust in the cloud.
Let’s walk through how this moves the needle in every element of cloud trust for government:
Security and data.
We’ve written at length about what MSI means for cloud security elsewhere, but a few points stand out for governments:
Human error and complexity in the cloud. One of the biggest sources of cloud security incidents is misconfiguration. This can be a particular issue in government, where IT teams may be small or unfamiliar with cloud. MSI detects misconfigurations (vs defined policy or historical baseline) automatically, which creates a safety net for human error (and detecting insider attacks).
Public administrations are cost-conscious and have difficulty increasing headcount. MSI simplifies the task of cloud security monitoring, log analysis and incident detection, allowing security monitoring to be done with a small team.
Finally, governments have a unique responsibility for data integrity - they are the authority of record and a single source of truth for everything from land records to the law. MSI brings Guardtime’s KSI® Blockchain, which has been guarding the integrity of Estonia’s critical e-government systems since 2012, to data in the cloud. KSI-backed records are provable at scale today, but also against all foreseeable cryptographic threats, including quantum attacks.
Cloud compliance generally means audits every 12-24 months. While this is shifting to a notion of “continuous compliance”, that often means monthly, not truly continuous. Audits remain labor-intensive and expensive, and discrepancies frequently remain unresolved. While many companies -approach compliance as a risk-management exercise with a price tag (and liability limitation) attached to it, compliance frameworks in government are frequently driven by CISOs or national security bodies with a much lower tolerance for risk.
MSI gives truly dynamic (on a second-by-second, not month-by-month) attestation of compliance. Security requirements (such as ISO27001, the NIST 800-series, BSI IT Grundschutz or forthcoming ENISA standards) are coded into control templates. Up to once a second, MSI compares the state of configurations in the cloud fabric and every individual machine to the compliance framework. Violations in policy are detected in real-time and alerted immediately; MSI can also be configured to allow automatic remediation of the problem. And because MSI generates a cryptographically provable evidence trail, automated proof of ongoing compliance can be generated for auditors anytime.
SLAs and contractual agreements. But Governments have a further compliance problem that isn’t about security. Public authorities’ hands are tied by procurement rules that don’t simply allow them to walk away from a contract if they are not satisfied with the level of service. Far more than private companies, they rely on certifications and SLA agreements to maintain a level of quality in the cloud services they consume. Unfortunately, with the growing complexity of cloud, these SLA’s can be very difficult to monitor; and proving that a cloud provider hasn’t followed the SLA can be even more difficult.
Until now: MSI’s continuous state monitoring means that even the smallest deviation from agreed service parameters (e.g. 1-2 second of downtime for a specific virtual service) can be detected. And logged as provable evidence that will hold up in court.
Inter-agency trust and monitoring.
While we have been focused on outward-facing trust (toward the cloud service), the reality is that many government agencies also don’t really trust each other. This gets in the way of shared service models, where multiple agencies pool resources and makes turf war over security monitoring contentious.
MSI facilitates granular control over information-sharing: you can share the full situation picture to multiple recipients, or send a restricted live feed to a CSIRT or compliance office. Because all MSI reports are provably correct and self-auditing, all parties will know they’re getting the truth of what is going on in the cloud, without needing to trust other parties.
We have been talking about what MSI does for trust and security, but the implications for government cloud are broader. As we work with governments on new cloud deployments secured with MSI, we are finding that MSI gives public authorities control over their data in other ways. MSI is a powerful tool for avoiding security-requirements driven vendor lock and opening the door to hybrid cloud and more aggressive SaaS usage. In short, Machine State Integrity allows governments to unlock the full value of the cloud in 2020.