Following the announcement of FedRAMP Accelerated on March 28, 2016, I spent a lot of time thinking about ways to improve the agility of regulatory frameworks in a cloud-centric world. I am excited by the potential of FedRAMP Accelerated, especially as it comes to the Capabilities Assessment, because I believe it is moving us in the right direction for regulation of the cloud. I was pleased to attend the CSA Federal Summit in Washington, DC on May 12 and to be invited to participate in the Visionary Panel, Meeting Regulatory Challenges for Cloud Security, where I had the opportunity to discuss the core principles Microsoft is driving toward to enable security, transparency, and agility for our cloud products.

Traditionally, regulation and policy lag innovation. One of the outcomes of the cloud revolution is the democratization of access to game changing computational power, without requiring billions of dollars of up front capital investment. By removing the capital expenditure barrier of entry, the cloud will significantly accelerate the pace of innovation; regulation and prescriptive policies will not be able to keep up.

I spend roughly half of my time meeting with customers and policy makers to talk about how innovations in Azure, necessary to support a hyperscale, multitenant cloud, changed fundamental assumptions about IT architecture. These conversations require a good bit of education and negotiation surrounding traditionally prescriptive security controls – like those documented in NIST SP 800-53 – and how the fundamental assumptions about IT architecture that went into the design of those controls have changed in the era of hyperscale.

In fact, given the pace of innovation inherent in cloud computing, the traditional certification and accreditation model that has worked for the last two decades will increasingly fall short, and ultimately demand a different approach. At that point, regulated industries and governments that have not found a way to evolve their frameworks will find themselves years behind the technology curve.

At Microsoft, we think the solution to this challenge is to change the way we approach requirements; more specifically, to shift our focus away from specific implementations and toward specific outcomes. As long as we continue to define how a security goal is met, we will lag, delay, and deny access to innovation. If we instead focus on what our security goals are, and delegate the how out to the technology innovators and security experts, we will harness the speed and power of the cloud in ways that will ultimately make us more secure.

What does an outcome-based world look like? I envision a framework where a government or industry sector identifies the 20/30/50 core security outcomes that matter to them, based on the risks they face and the goals they want to achieve. Cloud Service Providers (CSP) then identify methods of meeting those goals and identify metrics that can be used to demonstrate achievement. Most CSPs will likely begin with the existing prescriptive security control frameworks to architect their implementations. Over time, as CSPs remain anchored to these outcomes, the implementation details will be able to evolve with the changing tides of innovation. At Microsoft, we are already leading this charge. In future posts I plan to delve into greater details about how we approach traditional security challenges like monitoring, access control, and system health.

I foresee several advantages to an outcome-based world. Initially, I believe this helps with regulatory agility which ultimately unbounds innovation. At the same time, I strongly believe this paradigm change will improve security. As a long time information security consultant, auditor, program administrator, and cloud service provider I have spent a lot of my career in the implementation based world. In my experience, compliance in that world can become distracted by semantic debates over control wording or grammar exercises around paperwork, so much so that it loses sight of actual risk mitigation and security. In an outcome-based world, word choice and grammar lose meaning, and we focus instead on risk mitigation and achieving security goals.

Additionally, if we design our list of outcomes well, we also improve the ability to monitor near real-time security posture. As a CSP, Microsoft will be able to track metrics that illuminate our success around each of these outcomes, and provide our customers with dashboards that present those security health metrics for the security frameworks that our customers care about. This will allow our customers to have situational awareness regarding the risk of their data in the cloud, as represented by the core security outcomes that matter most to their industry or government.

During the Meeting Regulatory Challenges for Cloud Security panel, we discussed ways in which federal agencies can begin the process of moving toward outcome-based assessments, even in the era of implementation-based controls. I really enjoyed hearing the thoughts of my fellow panelists and the audience; they inspired me to write this post and begin a broader conversation.

FedRAMP Accelerated is leading us toward this new outcome-based world, which is why I believe that FedRAMP Accelerated will be a success. Microsoft worked with our peer hyperscale cloud providers to provide feedback on the FedRAMP Accelerated Capabilities Assessment. As part of that feedback we provided an initial list of 20 outcomes we recommended that FedRAMP focus on. I included our list below, in hopes of spurring further conversation around sound security principles and helping accelerate the pace of innovation.

Thank you again for participating in this conversation. I look forward to your feedback on our proposed list and to continuing this conversation with the cloud security community.