Cloud technology great for security but poses systemic risks, according to new report

Although nearly 30 years old, cloud computing is still a “new” technology for most organizations. The cloud promises to reduce costs and increase efficiencies through storage and management of large repositories of data and systems that are theoretically cheaper to maintain and easier to protect.

Given the growing rush by organizations to move to the cloud, it’s no surprise that some policymakers in Washington are calling for regulation of this disruptive technology. Last year, Representative Katie Porter (D-CA) and Nydia Velázquez (D-NY), urged the Financial Stability Oversight Council (FSOC) to consider cloud services as essential elements of the modern banking system and subject them to an enforced regulatory regime. Their calls for this kind of oversight came in the wake of a major data breach of Capital One in which an employee of the financial institution was able to steal more than 100 million customer credit applications by exploiting a misconfigured firewall in operations hosted on Amazon Web Services (AWS).

That’s why the Carnegie Endowment for International Peace is releasing a study today that aims to give lawmakers and regulators a basic understanding of what’s happening in the cloud arena, with a particular focus on the security of these vast reservoirs of information. “Cloud Security: A Primer for Policymakers,” written by Tim Maurer, co-director of the Carnegie Endowment’s Cyber Policy Initiative and Garrett Hinck, a doctoral student at Columbia University and a former Carnegie Endowment research assistant, argues that the “debate about cloud security remains vague and the public policy implications [are] poorly understood.”

From a public policy perspective, “the image of a cloud obscures as much as it explains,” the report states. “A more nuanced picture emerges when the cloud is considered in terms of its layers—from the physical data centers and network cabling that form its foundation to the virtual software environments and applications that everyday users interact with.”

Systemic cloud security risk

But, the paper states, cloud service is concentrated in the hands of a few providers including AWS, Microsoft Azure, and Google Cloud, so-called “hyperscale” cloud service providers, with firms like Alibaba Cloud and Tencent playing a similar role in China. The rising cost of cyberattacks means that most companies can’t effectively defend themselves, leaving organizations “better off entrusting their security to these external firms’ security teams.” However, that solution raises a new problem which is “the systemic risk associated with a centralized approach.”

“There’s very little understanding of what the cloud is,” Maurer tells CSO. “There is very little out there that describes what the cloud is and how to think about cybersecurity.”

Cloud security policy concerns

Although the Carnegie Endowment report steers clear of public policy recommendations, it does note there are two key policy concerns that have to be balanced. “As we think about security and the cloud, there are essentially two public policy challenges that we need to think about and separate,” Maurer says.

“The first one is the current and known problem of cyber insecurity. Most organizations still struggle to effectively protect themselves against hackers.”

Copyright © 2020 IDG Communications, Inc.

Source Article