Cloud reports

Collective cybersecurity for the Three Seas

In Central and Eastern Europe’s Three Seas region, twelve countries have joined together to invest in critical infrastructure projects and increase interconnectivity on energy, infrastructure, and digitization efforts along the way. To strengthen the resilience of these technical investments and better bind together the defensive cybersecurity operations of these societies, Three Seas member states should establish a regional hub for cybersecurity together with key private sector partners to function as a shared platform for collective security against adversaries targeting critical infrastructure and ever more popular cloud services.

Dude, where’s my cloud? A guide for wonks and users

If you have ever been curious about what exactly “the cloud” meant; if you are a policy wonk not a technologist, a user not an admin, then this report is for you. When you’re done reading, you will be able to explain to your family what happens with their iCloud backup, or just might manage to keep your boss from sounding confused in their next committee hearing with Jeff Bezos.

Four myths about the cloud: The geopolitics of cloud computing

Cloud services are becoming the battleground for diplomatic, economic, and military dispute between states. Companies providing these cloud services are substantially impacted by geopolitics. This paper pokes holes in four recurrent myths about the cloud to provide actionable advice, intended to increase the transparency and security of the cloud, to policymakers in the United States and European Union and practitioners in industry.  

Cloud concepts

Illustrating cloud service models

Building cloud services looks a bit like assembling Lego blocks. Like a toy store, cloud service providers rent out assorted Lego blocks for users to build customized systems while also offering ready-to-use designs built pre-assembled. At the bottom of this stack of blocks is Infrastructure as a Service (IaaS) which sells the basic computing pieces: storage, processing, network bandwidth, and just enough software to tie them all together. Users have a lot more work to build, maintain, and manage all of these blocks but also get to be much more selective about which blocks they use and where. Platform as a Service (PaaS) sells these prefabricated combinations of blocks in the shape of different computing services—machine translation or tools to process credit card information from point-of-sale systems. These PaaS services provide functionality to software developers and customers looking to connect existing applications to cloud services. SaaS looks most akin to the software you might find on a laptop— word processors, email clients, and chat apps. Cloud providers manage the computing infrastructure and services behind SaaS offerings, giving users comparatively less control or ability to configure but maximum gloss and functionality.

Illustrating the multi-tenant model

At the root of the majority of cloud computing is the shared services model, where many users reside on a single physical machine. Multitenancy is the term used to describe shared use, while the technology that makes it possible is called a hypervisor: software that supervises a computer and divides up its resources—processor time, memory, storage, networking bandwidth, etc.—like cake at a birthday party where every partygoer is blindfolded. Everyone gets to enjoy their slice of cake, unaware of those around them enjoying their own portions, too. The hypervisor keeps each user separate, giving them a turn to use the computer while creating the appearance that each is alone on a single machine. The hypervisor is critical to keeping users isolated from one another. Flaws in the hypervisor software can enable attackers to escape from their slice of the computer into that of other users or, worse, into the host machine’s operating system controlled by the cloud provider. 

Components of a data center

Cloud services are supported by a network of data centers. Each contains thousands of servers organized into racks, which are collected into spines. At each level, there are multitudinous network connections to minimize the distance (and thus the time) it takes for information to travel from one server to another.

Data center server supply chain

Cloud computing is already a pervasive infrastructure and an important source of supply chain risk. Major cloud providers aggregate the risk from commodity computing and networking technologies by purchasing processors, server boards, networking switches, routers, and more in galactic quantities. Each of these chips, cables, software packages, and servers comes with potential vulnerabilities. Cloud services rely on massive quantities of software, including code developed by third parties and open-source projects.

Illustrating data types in the cloud

It is challenging to talk about cloud computing without discussing data. For all its metal and concrete infrastructure, snazzy code, and marketing materials, cloud computing often comes down to managing huge volumes of data. Three categories are helpful:

  • User data, what the customers of a service store in the cloud: emails, tax files, design documents, and more.
  • Derived data, which allows cloud providers to learn about how users access and interact with these files: which documents do users from an office in Berlin tend to access first and should they be stored nearby to reduce latency? 
  • System data, or what cloud providers learn about their systems from the way users consume services: what causes a spike in processor utilization or a drop in available bandwidth to a data center or a security alert for malware? 

Cloud deployment models

While the public cloud is the most dominant form of cloud computing, there are other deployment models. Private clouds take the same design of infrastructure and management systems but deploy them for only one organization, operated either by the provider or that consuming organization. Community clouds are effectively public clouds whose tenants are users of multiple associated organizations, like Microsoft’s Azure Government—accessible to federal agencies as well as state and local governments but not the private sector. The economics of cloud computing improve as the user base grows, so public cloud deployments tend to have the widest variety of services and the most cutting-edge features. One of the biggest sources of growth in private and community clouds are national security and intelligence agencies, including in the United States and in the UK, as these groups have expressed discomfort with their lack of control over the public cloud’s security standards and inherent multitenancy.

Global cloud data center map

Cloud tunes

The Atlantic Council’s Cyber Statecraft Initiative, within the Scowcroft Center for Strategy and Security, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.