“The Biden administration is embarking on the nation’s first comprehensive plan to regulate the security practices of cloud providers.”
Politico
There have been a number of articles in the news recently about the White House taking steps to regulate the security practices of cloud providers. The problem, as stated by the acting National Cyber Director is that the cloud has “become essential to our daily lives. If it’s disrupted, it could create large potentially catastrophic disruptions to our economy and to our government”. In essence, the director stated that the cloud is “too big to fail”.
So, what exactly is the White House concerned about? Politico stated that the fear is simply this: “For all their security expertise, the cloud giants offer concentrated targets that hackers could use to compromise or disable a wide range of victims all at once”. “The collapse of a major cloud provider could cut off hospitals from accessing medical records; paralyze ports and railroads; corrupt the software that helps financial markets; and wipe out databases across small business, public utilities, and government agencies.”
According to Politico “Hackers from nations such as Russia have used cloud servers from companies like Amazon and Microsoft as a springboard to launch attacks on other targets. Cybercriminal groups also regularly rent infrastructure from U.S. Cloud providers to steal data or extort companies.”
So, what does this all mean?
The problem that cloud companies need to address is the storage repositories themselves. As stated above in the quote by Politico, the issue is that the storage is basically held in “concentrated” locations, making it easier to locate and directly attack the storage repositories. In short, server farms have been used since the internet began. Collocating the storage repositories makes them easier to maintain and reduces the costs associated with managing the short and long-term storage needs of cloud clients. Naturally the downside of this is that it’s easier for nefarious actors to find and attack these server farms.
To address the problem, these providers have a couple of different options they’re likely to look at. The first being tighter access restrictions to these storage repositories and limiting the number of employees that have access to these repositories, and the physical server farms themselves. This means limiting both the physical access at the repositories themselves, as well as limiting access for developers and engineers working directly with the code and the storage itself. This method will also likely be accompanied by background checks and tighter internal security for all cloud company employees.
The next likely step will be a review of the software being used for file encryption and file access. Encryption software is typically used by cloud providers to offer enhanced protection for files and folders to help prevent unauthorized access. For access to the files themselves, software such as “multi-factor” or “2-factor” authentication is used in order to ensure that the clients who own the stored content are the only ones that can gain access to the accounts themselves, which would lead the user to the files housed inside.
Another step that might be taken by cloud providers is to simply plan on accepting some of the fines associated with the breaches. These companies make significant amounts of money, so paying fines associated with violations of any type can often be financially more beneficial than undertaking an infrastructure change or significantly modifying their storage configurations.
How will this affect users of these platforms?
There are a number of possible impacts on the users themselves. By far, the most likely will be an increase in the costs associated with file storage and the associated services hosted on these servers. As an example, a company may be using one of these large cloud providers to host their storage. Since the security costs will go up for these providers, it would seem that a portion (if not all) of the new costs are passed down to the user. These massive cloud companies have stakeholders to report to, and they don’t typically like to show losses. So, it’s a safe bet that the cost for users of these large cloud services is going to go up.
Do all cloud providers use server farms? Is there a better way?
This question comes down to infrastructure. Looking at the telephone companies as an example, the overwhelming majority of transport infrastructure here in the U.S. is still copper. This is because when the telephone was invented, copper was the best method for carrying signals. So, countries like the U.S. put copper everywhere. As technology changed, fiber cables began to be installed, but only in very large and populated areas. This was due to the cost associated. It isn’t cost-effective to put fiber everywhere. Today we see more wireless technology being deployed such as 5G. Tomorrow it will likely be the next generation of whatever wireless transport technology provides the biggest boost to bandwidth.
In part two of this perspective, we will look at alternative networking infrastructure as a means to potentially mitigate the issue of collocating content in large server farms.
Politico | White House Cloud Overhaul
https://www.politico.com/news/2023/03/10/white-house-cloud-overhaul-00086595
Security Boulevard | Biden Regulate Cloud Security
https://securityboulevard.com/2023/03/biden-regulate-cloud-security-richixbw/
The White House | Executive Order Improving the Nations Cybersecurity
MWS Wire | Copper Wire Remains a Backbone of Telecom