With billions of people confined to their homes, the concept of "critical infrastructure" needs to be extended. To the traditional list of bridges, power plants, water filtration plants, airports, etc., we need to add cloud-based web conferencing (think Zoom, Webex, and Skype), online financial services, telehealth services, e-commerce, online delivery, and more.
In a very real way, our global economy and daily lives now depend on these online services. For example, teleconferencing services are de facto replacing air travel, with the aviation sector and most airports nearly shut down. Yet the sad fact is that if cloud-based services were regulated critical infrastructure like your average airport, the Transportation Security Administration would have shuttered many of them long before COVID-19 came along.
If Your Web Service Was an Airport
I travel a lot — or used to, before the coronavirus crisis. It's interesting that our sad experience with terrorism in recent decades led us to trust travelers — whom we can still see and touch — far less than we seem to trust faceless, remotely connected employees, contractors, users, or admins.
The security paradigm under which organizations like the TSA operate to secure modern airports has clear parallels in the web services arena — but also some vast differences. To illustrate, let's drill down into what we as travelers go through before we get on a plane, in comparison to what we online users go through before accessing critical web services:
But Web Services Are Not Airports
Thankfully, web services are not airports. Nor can they be secured like airports without destroying what makes them so great. To deliver the robust and massive-scale service they provide us, web services interact with thousands of other services and need to be accessible from every place and device. Hyper-connectivity is what makes these services so powerful — putting up barriers would simply ruin this.
While airports are only built once, cloud services are rebuilt every day by developers who introduce hundreds of changes. Every change introduced in an airport's architecture is thoroughly reviewed before implementation. The same level of scrutiny over changes in web applications would simply kill innovation.
Plus, do we really want to go through a TSA agent every time we access our bank account?
So, What Can Be Done?
Airport analogies aside, it's clear that we need to enhance the resilience of the web services on which we've grown increasingly reliant in recent years — and utterly reliant on today. Business, IT, and security leaders urgently need to ask themselves how to effectively reduce this risk without affecting the dynamism and connectivity that makes these services so great. Here are three questions cloud-services vendors should ask themselves:
Given that remote is the new normal now, and is likely to continue being so after the crisis, it's time for our newest critical infrastructure providers to offer their awesome online services with a correspondingly awesome level of resilience.
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.