With cloud’s security benefits comes systemic risks, report finds

Although nearly 30 years old, cloud computing is still a “new” technology for most organizations. The cloud promises to reduce costs and increase efficiencies through storage and management of large repositories of data and systems that are theoretically cheaper to maintain and easier to protect.

Given the growing rush by organizations to move to the cloud, it’s no surprise that some policymakers in Washington are calling for regulation of this disruptive technology. Last year, Representative Katie Porter (D-CA) and Nydia Velázquez (D-NY), urged the Financial Stability Oversight Council (FSOC) to consider cloud services as essential elements of the modern banking system and subject them to an enforced regulatory regime. Their calls for this kind of oversight came in the wake of a major data breach of Capital One in which an employee of the financial institution was able to steal more than 100 million customer credit applications by exploiting a misconfigured firewall in operations hosted on Amazon Web Services (AWS).

A study released today by the Carnegie Endowment for International Peace aims to give lawmakers and regulators a basic understanding of what’s happening in the cloud arena, with a particular focus on the security of these vast reservoirs of information. “Cloud Security: A Primer for Policymakers,” written by Tim Maurer, co-director of the Carnegie Endowment’s Cyber Policy Initiative and Garrett Hinck, a doctoral student at Columbia University and a former Carnegie Endowment research assistant, argues that the “debate about cloud security remains vague and the public policy implications [are] poorly understood.”

From a public policy perspective, “the image of a cloud obscures as much as it explains,” the report states. “A more nuanced picture emerges when the cloud is considered in terms of its layers—from the physical data centers and network cabling that form its foundation to the virtual software environments and applications that everyday users interact with.”

Systemic cloud security risk

But, the paper states, cloud service is concentrated in the hands of a few providers including AWS, Microsoft Azure, and Google Cloud, so-called “hyperscale” cloud service providers, with firms like Alibaba Cloud and Tencent playing a similar role in China. The rising cost of cyberattacks means that most companies can’t effectively defend themselves, leaving organizations “better off entrusting their security to these external firms’ security teams.” However, that solution raises a new problem which is “the systemic risk associated with a centralized approach.”

“There’s very little understanding of what the cloud is,” Maurer tells CSO. “There is very little out there that describes what the cloud is and how to think about cybersecurity.”

Cloud security policy concerns

Although the Carnegie Endowment report steers clear of public policy recommendations, it does note there are two key policy concerns that have to be balanced.

“The first one is the current and known problem of cyber insecurity,” Maurer says. “Most organizations still struggle to effectively protect themselves against hackers.”

Few organizations can rival the “Fort Knox” level of security provided by Google, Amazon or Microsoft, so they might be better off entrusting security to these giants. “For them, migrating to the cloud can actually improve their cybersecurity because they can then outsource and delegate the protection to the really high-paid security teams of the top security providers,” Maurer says. Those organizations would still need to properly configure their cloud setups to avoid accidental data exposure, which the report is one of the most common events to disrupt cloud services.

The second concern is the systemic risk cloud providers pose, namely that allowing so much data to be stored in the hands of giants could invite rare but catastrophic events. The report cites a 2018 Lloyds of London study that estimates a three- to six-day outage of a major cloud service provider could cause economic losses of up to $15 billion. Moreover, like Fort Knox, cloud services could become juicy targets for attackers because of the amount of riches they contain.

“A growing number of policy makers in Congress but also other places around the world are starting to become more concerned that the more companies and governments migrate to the cloud, the more of a concentrated risk there is, the more systemic risk that migration to the cloud poses,” Maurer says. “If there is a major incident affecting one cloud service provider, then it could affect an entire industry and have a broader sector-wide impact.”

The cloud is more secure than on-premises

Still, the systemic risk shouldn’t overshadow the security benefits of moving to the cloud. “We’re actually on the verge of people worrying too much about the systemic risk and losing sight of the fact that migration to the cloud can actually help us solve the current cybersecurity problem,” Maurer says. A CISO recently told Maurer that “migrating to the cloud makes the organization ten times more secure than what his security team could achieve on their own.”

Other concerns briefly raised in the report center on the dominance of the American cloud providers overseas. “Security is only one of the things governments think about. There’s also a question of data localization, a question of antitrust, a question that many of them want to build out their own domestic tech industries and are therefore imposing laws that they try to restrict the primarily American cloud service providers.”

A collaborative approach to cloud security

Looking ahead, cloud security would benefit from a collaborative approach among those giant providers, Maurer argues, given that the breakneck competition among them stands in the way of protecting against threats that affect all of them. “If we look at the current level of maturity and culture in the tech industry, it is so hyper-competitive that they actually rarely talk to each other and they rarely discuss security that could impact all of them,” he says.

Although some critics of a collaborative cloud security initiative might raise antitrust concerns, there are models of similar approaches in other industries, including finance and aviation, Maurer says. “If you look at other highly competitive industries like the financial industry, like the aviation industry, they have all formed specific industry consortia that are designed to help address security because they recognize the risks in the entire industry and not just individual companies.”

“It will be much more important in the future for the major cloud service providers to come together to share and compare notes…and to also potentially share data about threat actors that may be targeting them,” he says. “That is likely to pay off more in the future than a regulatory framework would, which is down the road.”