It hasn’t been news in the tech sector for years, but as business worldwide turn to cloud computing as a necessary, everyday solution, they find fewer and fewer companies who offer it. The demand is immense: RightScale data from 2021 (published 2022) found that 57% of companies planned to move workload to the cloud, and small- to mid-sized businesses increased spend on cloud services by 38% over the previous year. And yet Amazon Web Services (AWS), Google Cloud, Microsoft Azure, IBM and a few others dominate supply. Antitrust questions aside, the increasing horizontal consolidation of cloud services poses serious security risks. A few spectacular outages have illustrated this handily — 2022 alone has seen a Slack outage (particularly concerning in the work-from-home post-pandemic), two major Apple outages, two IBM outages in one month, and others.
Businesses have certainly taken note. Data published this month by the Ponemon Institute finds that a full 60% of IT leaders have little or no confidence in the security of their company’s cloud access. Consider that: the security team at your bank, or your internet provider, or the wholesaler that keeps your grocery store stocked, is sending more and more information into the cloud with less and less faith that it’s safe there.
This is a matter of national, and indeed international security. But governments are only just keeping up with the magnitude of the risk.
US: Federal Secure Cloud Improvement and Jobs Act
The Federal Secure Cloud Improvement and Jobs Act of 2021 is a step in that direction, mandating new assessments and oversight protocols for cloud computing products, but that only holds for the Federal government. Third-party infrastructure is exempt, even for the 16 sectors that CISA defines as “critical infrastructure” (health, defense, manufacturing, nuclear, etc.).
Instead, the Biden administration has leaned on private companies to regulate themselves as best they can. At this month’s National Cyber Workforce and Education Summit, Accenture, the Linux Foundation, and NPower each promised the government to work on cloud security initiatives, mostly in a training and certification capacity. The message: “You’ve got this, right?”
It’s a curiously hands-off approach, especially for an administration that regularly declares tech and security as a priority. Congress has no appetite either for regulating third-party cloud infrastructure, whatever the stakes.
In 2019, shortly after a breach of Capital One’s AWS-hosted data, Representatives Katie Porter (CA-D) and Nydia M. Velázquez (NY-D) wrote the Financial Stability Oversight Council at the Treasury, demanding that cloud storage in the financial industry be counted as “systemically important financial market utilities” (SIFMUs), as defined by the Dodd-Frank Act. Such a move would allow the Federal Reserve to “prescribe risk management standards” and “conduct examinations of” these service providers. With such a protocol in place, it’s easy to imagine regulators demanding similar oversight for cloud services across the 15 other critical infrastructure sectors — and just as easy to imagine the providers themselves integrating their standards company-wide, for ease of compliance.
Perhaps it was the chaos of the change in administration; perhaps there’s resistance in the Treasury; but Reps. Porter and Velázquez’s proposal went nowhere. (Rep. Porter, a longtime advocate of cloud service regulation, did not respond to InformationWeek’s request for comment.)
UK Delays While EU Moves on DORA
The good news, if you’re in favor of this kind of regulation (or the bad news if you’re not) is that regulatory bodies across the Atlantic seem to be sliding towards a new compliance regime for cloud providers along these lines.
A paper from the UK Treasury, published last month, revealed that Treasury and Bank of England have been mulling a new regulatory framework for “critical” cloud-based third-party services since 2019. (These are services “critical” to the Treasury, which are not necessarily financial.) They propose fairly broad powers to enforce standards and investigate violations. This isn’t legislation, of course; that step, the paper notes, will come “when parliamentary time allows,” and since Britain won’t have a government before September, we will likely be hearing more of this in 2023.
Meanwhile, on the Continent, the European Council and Parliament came to an understanding in May that the (Digital Operational Resilience Act (DORA), a regulatory framework that is not yet in law, will be able to “maintain resilient operations through a severe operational disruption” in finance, including on cloud platforms. The ponderous process of turning the proposal into law will take months and perhaps years — each member government has to approve it, and a host of agencies like the Banking Authority will have to come up with technical standards.
This is not some European curiosity. DORA will require non-EU providers (AWS, IBM, Microsoft, AliBaba…) to establish EU subsidiaries, which could potentially change the compliance posture of these companies worldwide. And when it comes to regulation, when the EU sneezes, continents catch cold. GDPR caused a ripple of copycat privacy legislation all over the world, including California and India, and changed internet user experiences everywhere. DORA might have a similar effect.
But until then, cloud security is purely a business matter. We’ve got this, right?