White House to Regulate Cloud Security: Good Luck With That

Biden administration wants new regulations for cloud providers. But we’re not sure it’ll help.

Old people in suits propose new bureaucracy in an attempt to make IaaS, PaaS and SaaS more secure. Amid much tut-tutting about SolarWinds, they seem convinced they can make a difference.

The internet disagrees. In today’s SB Blogwatch, we unpick the arguments.

AWS Builder Community Hub

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Uptown Car.

Be Careful What You Wish For

What’s the craic? John Sakellariadis reports—“Biden administration is embarking on the nation’s first comprehensive plan to regulate the security practices of cloud providers”:

Cloud providers haven’t done enough
Governments and businesses have spent two decades rushing to the cloud — trusting some of their most sensitive data to tech giants that promised near-limitless storage, powerful software and the knowhow to keep it safe. Now the White House worries that the cloud is becoming a huge security vulnerability. … If the government fails to find a way to ensure the resilience of the cloud, it fears the fallout could be devastating.

For all their security expertise, the cloud giants offer concentrated targets that hackers could use to compromise or disable a wide range of victims all at once. … And cloud servers haven’t proved to be as secure as government officials had hoped. Hackers from nations such as Russia have used cloud servers from companies like Amazon and Microsoft as a springboard to launch attacks. … Cybercriminal groups also regularly rent infrastructure from U.S. cloud providers.

Cloud providers haven’t done enough to prevent criminal and nation-state hackers from abusing their services … officials argued, pointing in particular to the 2020 SolarWinds espionage campaign. [And they] express significant frustration that cloud providers often up-charge customers to add security protections: … Agencies that fell victim to the Russian hacking campaign had not paid extra for Microsoft’s enhanced data-logging features.

Maybe more from Matt Milano? “Biden Administration Prepares to Regulate Cloud Security”:

Cloud security lapses
There’s hardly any aspect of daily life that isn’t touched by the cloud in some way. That ubiquity is a source of concern. [So] the Biden Administration now views the cloud industry as “too big to fail.”

Unfortunately while companies have raced to deploy cloud platforms and services, cloud security has often lagged behind, leaving organizations and individuals vulnerable. Even worse, critical infrastructure has come under attack as a result of cloud security lapses.

Will it work? Stephen E. Arnold observes thuswise—“Big Tech, Lobbyists, and the US Government”:

Armies of attorneys

    1. Lobbyists have worked to make it easy for cloud providers and big technology companies to generate revenue in an unregulated environment.
    2. Government officials have responded with inaction and spins through the revolving door. A regulator or elected official today becomes tomorrow’s technology decision maker and then back again.
    3. The companies themselves have figured out how to use their money and armies of attorneys to do what is best for the companies paying them.

Here’s what stood out to rdevsrex:

The Biden administration … will require cloud providers to verify the identity of their users to prevent foreign hackers from renting space on U.S. cloud servers.

Wait. Pause. Joe’ll do whatnow? Here’s a slightly sarcastic u/ryosen:

Oh good. A bunch of septuagenarians that have demonstrated, time and again, that they lack even the most fundamental understanding of how technology works, are going to legislate how technology should work. I’m sure this will be just fine.

And this Anonymous Coward is nonplussed:

Ignoring the “hackers” scarewording, actual foreign spies have no problem getting US identity cards. So this is zero protection.

I don’t buy for a moment that the POTUS with the best advisors US government dollars can buy don’t know this. So it’s for another reason. And that reason is the same as why China demands every citizen register to online services with their government identity: … To keep tabs on political adversaries.

This is fine. u/sometimesanengineer sips coffee amid the conflagration:

The US government doesn’t understand cloud enough to properly regulate it. I’ve seen enough stuff get past C3PAO to anticipate a meaningless designation getting applied that customers think absolves them of their piece if the Shared Responsibility Model. Same as we’ve seen with Azure Government or AWS GovCloud.

Information has a tendency to be left off architecture and design documentation. Policies / procedures / practices claimed in controls compliance are not necessarily followed. Layers of the system or components of the system are often left out. And changes are made for expediency sake, often to fix something else that’s broken—which in complex systems is a quick way to screw things up.

Lawmakers gonna lawmake. techno-vampire predicts pointlessness:

Let me guess: … At least 75% of any new regulations will either require cloud providers either to do things or stop doing things that are covered by existing regulations. And, most of the remaining 25% will either be useless, or so ambiguous that nobody will be able to tell if any company is following them or not. That’s because the only point of creating these new regulations will be so that the Administration can claim that they did something.

Meanwhile, u/fractalfocuser laughs and laughs and laughs:

Ohhhh lord this is too funny. “Quick everybody! Put the cat back in the bag!”

And Finally:

Funk Wash!

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: DinkeyHotey (cc:by-sa; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 492 posts and counting.See all posts by richi