Regulation Meets the Cloud: Joint Responsibility for the Future
Why does the cloud need smarter regulations?
Recently there’s been an avalanche of stories about TikTok. That’s because from Congress to academia, from multinationals to tiny businesses, and from boardrooms to bedrooms, this channel has grabbed attention for its potential to hijack minds, hearts and data. Isn’t the cloud a much bigger deal? As a singular resource, doesn’t the cloud store far more data and have far greater reach and impact? Shouldn’t it get at least as much attention? Tibi Popp, co-founder and CTO of Archive360 explores the answers to these and related questions.
Sure, attention can mean more regulation, and when there’s technology involved, the results can be, well, mixed. In the case of cloud security, even if more legislation is warranted, the wrong kind of mandates could be problematic. So what’s the right course of action here?
The Problem of the Interconnected Cloud
Regulators already believe that the biggest cloud providers haven’t done nearly enough to prevent, mitigate or even flag serious threats. Given the endless parade of high-profile breaches like SolarWinds, that’s hard to debate. These same regulators also maintain that these providers have the resources to apply patches and other fixes; not every company depending on the cloud has the same resources.
That’s why there’s so much talk of a doomsday scenario: A failure at one cloud could potentially bring down entire infrastructures – databases that underpin every aspect of modern life, from critical healthcare and national security to, for example, video games. And it’s why the Biden administration has launched perhaps the most ambitious effort yet to compel the biggest of the big guns – think Google, Microsoft, Amazon, and Oracle – to do a better job of securing the servers used by a wide swath of organizations in the private and public sectors.
While there are other regulations pending, the government has put a renewed push behind an executive order from the previous administration that compels cloud providers and resellers to adopt and enforce strict measures to verify the identity of every customer.
Balancing Growth and Security
The clear goal is to prevent foreign hackers from leasing space in US servers and causing havoc from that vantage point. In the event of criminal activity, better records would make it easier to identify and prosecute the offending parties. Of course, the government is also promising not hinder rapid growth in order to build better safeguards.
The biggest problem here may be that cloud usage and cloud security are still kept far apart. For example, many providers have a business model that requires surcharges for stronger protection. Also, the government doesn’t have an agency or resources specifically designated for this function. As a result, even the most strategic measures have to rely on a jumble of evolving policies, aggressive enforcement and technology recommendations, such as those aimed at particular industries.
See More: Why Cybersecurity Strategy Fails Public Cloud Providers
Rethinking the Fundamentals
Again, credit where it’s due: The government’s focus on securing cloud infrastructures is indeed commendable. However, it’s never a good idea to expect the government to provide all the answers. So what’s being missed here, and how can there be a more realistic approach?
I believe we can start by rethinking the fundamentals. For example, many of these well-intentioned directives essentially see the technology as an end in itself—the goal is basically to protect server farms. Meanwhile, what really matters is the data.
Focusing on the date rather than the hardware will bring about a change in mindset. The government has reason to fear a domino effect—one server crash leading to systemic failures—and is right to turn up the pressure on cloud providers to amp up the security in their environments. This is vital but also grossly inadequate.
To put it in personal terms, cloud migration just means putting your data on someone else’s computer. But it’s still your data and your responsibility. And it’s not just your valuables up there—a cloud can store endless volumes of data, making it much more tempting to hackers than your little PC could ever be. And through all this, the provider’s customers have precious little visibility into the cloud provider’s security protocols, or how those other customers might draw attacks, or which software packages and IoT devices are being used and introducing vulnerabilities, etc.
Protecting and Prospering With the Cloud
Bottom line: The cloud still makes perfect business sense for most organizations. For government agencies in particular, it’s the perfect way to move off legacy infrastructures (which many clearly have) and benefit from technology advances without making massive investments. However, all organizations moving digital assets to the cloud must continue to share the responsibility of protecting their own data. Ceding the obligation entirely to the cloud provider – and that’s what total reliance implies – is short-sighted and unwise.
Of course, enterprises do a lot more for themselves. Most importantly, there are options available to deploy a dedicated cloud tenant with a high level of isolation. This means no shared network resources, no shared secrets, and enhanced security matched with a customer-specific arrangement. Going a little deeper into the weeds, the user’s own technology can ensure advanced encryption, classify particular data elements as records that require timely retention or disposition, and even tag and quarantine data that, for example, contain PII or other sensitive information. This is top-quality protection even at the lowest levels, employing data privacy guidelines, best practices and more.
Again, cloud security is one area where the government is right to be concerned and justified in proposing comprehensive regulations. Cloud providers of all sizes can and should do more to protect their customers’ assets. But there’s a lot of responsibility to go around – and with the technologies and services now available, organizations migrating to the cloud will benefit from taking greater control of their own security.
How can organizations ensure security during cloud migration? Could regulations enable that? Share with us on Facebook, Twitter, and LinkedIn. We’d love to hear your thoughts!
MORE ON CLOUD SECURITY
