Projects - Technology and International Affairs
Cloud Reassurance Project
About the Project

The universal adoption of cloud-centric operating models is bringing enormous benefits to every sector of the global economy, yet the ubiquity of dependence on common technologies and service providers also creates a new potential for systemic risk. Regulators and policymakers have expressed concern about the possibility of widespread, cascading effects if cloud services are disrupted, yet the nature of the risks, and the balance of responsibilities in addressing them, remain highly uncertain.

In response, the Carnegie Endowment for International Peace has launched the Cloud Reassurance Project—an initiative to create shared understanding among private sector stakeholders of the systemic risks associated with deepening global dependence on cloud technology.

The Cloud Reassurance Project brings together cloud service providers, enabling technology providers and (re)insurers. The project is funded by the participants, who are represented on technical and policy working groups. These groups include independent experts who bring deep knowledge of cloud computing and technology governance. Legal advisors ensure that all activities are compliant with antitrust requirements and, when required, provide guidance regarding confidentiality.

Programs

Technology and International Affairs

The Technology and International Affairs Program develops insights to address the governance challenges and large-scale risks of new technologies. Our experts identify actionable best practices and incentives for industry and government leaders on artificial intelligence, cyber threats, cloud security, countering influence operations, reducing the risk of biotechnologies, and ensuring global digital inclusion.

Learn More

The Cloud Reassurance Project brings together cloud service providers, enabling technology providers and (re)insurers. The project is funded by the participants, who are represented on technical and policy working groups. These groups include independent experts who bring deep knowledge of cloud computing and technology governance. Legal advisors ensure that all activities are compliant with antitrust requirements and, when required, provide guidance regarding confidentiality.

The project will run for approximately one year to investigate questions such as:

  • Evaluating the risk: what are the key features of a systemic event resulting from a disruption of cloud services? What are the plausible yet severe scenarios of most concern? Which services create the most significant accumulations of risk?
  • Bounding the risk: how can technical mitigations limit potential systemic impacts from cloud disruptions? How can stakeholders identify concentrations of risk, quantify it, and incorporate it in risk governance mechanisms?
  • Managing the risk: what is the appropriate balance of responsibilities between technology providers, users, regulators, and (re)insurers? How can this project create shared understanding of the risk among these stakeholders?

The project is overseen by a steering group, comprising the following stakeholder participants:

Rachelle Celebrezze
Senior Director of Government Relations and Head of Americas Public Policy
VMware

Edna Conway
Vice President, Security & Risk Officer, Cloud Infrastructure
Microsoft

Scott Kannry
Chief Executive Officer
Axio

Robert Kolasky
Senior Vice President for Critical Infrastructure
Exiger

Jürgen Reinhart
Chief Underwriting Officer – Cyber
Munich Re

Jordana Siegel
Data Protection and Public Policy
Amazon Web Services

Bobbie Stempfley
Board Chair
Center for Internet Security

Phil Venables
Chief Information Security Officer
Google Cloud

Stephan von Watzdorf
Head of Cyber Center of Competence
Swiss Re

The ultimate aim is to develop insights and recommendations that can directly enhance systemic resilience for cloud technology, as well as inform regulatory and policy approaches. The findings, which will be aimed at both technical and nontechnical audiences, will be published on Carnegie’s website and made freely available.

The Carnegie project team comprises Peter Armstrong, Ariel (Eli) Levite, Gabriella Mesce, and John Pendleton. Please contact Samantha Lai (Samantha.Lai@ceip.org) for further information.

The Cloud Reassurance Project brings together cloud service providers, enabling technology providers and (re)insurers. The project is funded by the participants, who are represented on technical and policy working groups. These groups include independent experts who bring deep knowledge of cloud computing and technology governance. Legal advisors ensure that all activities are compliant with antitrust requirements and, when required, provide guidance regarding confidentiality.

The project will run for approximately one year to investigate questions such as:

  • Evaluating the risk: what are the key features of a systemic event resulting from a disruption of cloud services? What are the plausible yet severe scenarios of most concern? Which services create the most significant accumulations of risk?
  • Bounding the risk: how can technical mitigations limit potential systemic impacts from cloud disruptions? How can stakeholders identify concentrations of risk, quantify it, and incorporate it in risk governance mechanisms?
  • Managing the risk: what is the appropriate balance of responsibilities between technology providers, users, regulators, and (re)insurers? How can this project create shared understanding of the risk among these stakeholders?

The project is overseen by a steering group, comprising the following stakeholder participants:

Rachelle Celebrezze
Senior Director of Government Relations and Head of Americas Public Policy
VMware

Edna Conway
Vice President, Security & Risk Officer, Cloud Infrastructure
Microsoft

Scott Kannry
Chief Executive Officer
Axio

Robert Kolasky
Senior Vice President for Critical Infrastructure
Exiger

Jürgen Reinhart
Chief Underwriting Officer – Cyber
Munich Re

Jordana Siegel
Data Protection and Public Policy
Amazon Web Services

Bobbie Stempfley
Board Chair
Center for Internet Security

Phil Venables
Chief Information Security Officer
Google Cloud

Stephan von Watzdorf
Head of Cyber Center of Competence
Swiss Re

The ultimate aim is to develop insights and recommendations that can directly enhance systemic resilience for cloud technology, as well as inform regulatory and policy approaches. The findings, which will be aimed at both technical and nontechnical audiences, will be published on Carnegie’s website and made freely available.

The Carnegie project team comprises Peter Armstrong, Ariel (Eli) Levite, Gabriella Mesce, and John Pendleton. Please contact Samantha Lai (Samantha.Lai@ceip.org) for further information.

All work from Cloud Reassurance Project

1 Results
paper
Cloud Reassurance: A Framework to Enhance Resilience and Trust

As increasing amounts of information and services are moved to the cloud, a few providers have come to manage the bulk of cloud services. This level of dependence and concentration offers some benefits and risks, but policy action is needed to minimize and manage the risks.