Cloud technology great for security but poses systemic risks, according to new report



Although nearly 30 years old, cloud computing is still a “new” technology for most organizations. The cloud promises to reduce costs and increase efficiencies through storage and management of large repositories of data and systems that are theoretically cheaper to maintain and easier to protect.

Given the growing rush by organizations to move to the cloud, it’s no surprise that some policymakers in Washington are calling for regulation of this disruptive technology. Last year, Representative Katie Porter (D-CA) and Nydia Velázquez (D-NY), urged the Financial Stability Oversight Council (FSOC) to consider cloud services as essential elements of the modern banking system and subject them to an enforced regulatory regime. Their calls for this kind of oversight came in the wake of a major data breach of Capital One in which an employee of the financial institution was able to steal more than 100 million customer credit applications by exploiting a misconfigured firewall in operations hosted on Amazon Web Services (AWS).

That’s why the Carnegie Endowment for International Peace is releasing a study today that aims to give lawmakers and regulators a basic understanding of what’s happening in the cloud arena, with a particular focus on the security of these vast reservoirs of information. “Cloud Security: A Primer for Policymakers,” written by Tim Maurer, co-director of the Carnegie Endowment’s Cyber Policy Initiative and Garrett Hinck, a doctoral student at Columbia University and a former Carnegie Endowment research assistant, argues that the “debate about cloud security remains vague and the public policy implications [are] poorly understood.”

From a public policy perspective, “the image of a cloud obscures as much as it explains,” the report states. “A more nuanced picture emerges when the cloud is considered in terms of its layers—from the physical data centers and network cabling that form its foundation to the virtual software environments and applications that everyday users interact with.”

Systemic cloud security risk

But, the paper states, cloud service is concentrated in the hands of a few providers including AWS, Microsoft Azure, and Google Cloud, so-called “hyperscale” cloud service providers, with firms like Alibaba Cloud and Tencent playing a similar role in China. The rising cost of cyberattacks means that most companies can’t effectively defend themselves, leaving organizations “better off entrusting their security to these external firms’ security teams.” However, that solution raises a new problem which is “the systemic risk associated with a centralized approach.”

“There’s very little understanding of what the cloud is,” Maurer tells CSO. “There is very little out there that describes what the cloud is and how to think about cybersecurity.”

Copyright © 2020 IDG Communications, Inc.


Source link