Cloud Hosting

Biden administration wants new regulations for cloud providers. But were not sure itll help.

Old people in suits propose new bureaucracyin an attempt to make IaaS, PaaS and SaaS more secure. Amid much tut-tutting about SolarWinds, they seem convinced they can make a difference.

The internet disagrees.In todays SBBlogwatch, we unpick the arguments.

Your humble blogwatchercurated these bloggy bits for your entertainment. Not to mention:Uptown Car.

Whats the craic? John Sakellariadis reportsBiden administration is embarking on the nations first comprehensive plan to regulate the security practices of cloud providers:

Cloud providers havent done enoughGovernments and businesses have spent two decades rushing to the cloud trusting some of their most sensitive data to tech giants that promised near-limitless storage, powerful software and the knowhow to keep it safe. Now the White House worries that the cloud is becoming a huge security vulnerability. If the government fails to find a way to ensure the resilience of the cloud, it fears the fallout could be devastating.For all their security expertise, the cloud giants offer concentrated targets that hackers could use to compromise or disable a wide range of victims all at once. And cloud servers havent proved to be as secure as government officials had hoped. Hackers from nations such as Russia have used cloud servers from companies like Amazon and Microsoft as a springboard to launch attacks. Cybercriminal groups also regularly rent infrastructure from U.S. cloud providers.Cloud providers havent done enough to prevent criminal and nation-state hackers from abusing their servicesofficials argued, pointing in particular to the 2020 SolarWinds espionage campaign. [And they] express significant frustration that cloud providers often up-charge customers to add security protections:Agencies that fell victim to the Russian hacking campaign had not paid extra for Microsofts enhanced data-logging features.

Maybe more from Matt Milano? Biden Administration Prepares to Regulate Cloud Security:

Cloud security lapsesTheres hardly any aspect of daily life that isnt touched by the cloud in some way. That ubiquity is a source of concern. [So] the Biden Administration now views the cloud industry as too big to fail.Unfortunately while companies have raced to deploy cloud platforms and services, cloud security has often lagged behind, leaving organizations and individuals vulnerable. Even worse, critical infrastructure has come under attack as a result of cloud security lapses.

Will it work? Stephen E. Arnold observes thuswiseBig Tech, Lobbyists, and the US Government:

Armies of attorneys

Heres what stood out to rdevsrex:

The Biden administrationwill require cloud providers to verify the identity of their users to prevent foreign hackers from renting space on U.S. cloud servers.

Wait. Pause. Joell do whatnow? Heres a slightly sarcastic u/ryosen:

Oh good. A bunch of septuagenarians that have demonstrated, time and again, that they lack even the most fundamental understanding of how technology works, are going to legislate how technology should work. Im sure this will be just fine.

And this Anonymous Coward is nonplussed:

Ignoring the hackers scarewording, actual foreign spies have no problem getting US identity cards. So this is zero protection.I dont buy for a moment that the POTUS with the best advisors US government dollars can buy dont know this. So its for another reason. And that reason is the same as why China demands every citizen register to online services with their government identity:To keep tabs on political adversaries.

This is fine. u/sometimesanengineer sips coffee amid the conflagration:

The US government doesnt understand cloud enough to properly regulate it. Ive seen enough stuff get past C3PAO to anticipate a meaningless designation getting applied that customers think absolves them of their piece if the Shared Responsibility Model. Same as weve seen with Azure Government or AWS GovCloud.Information has a tendency to be left off architecture and design documentation. Policies / procedures / practices claimed in controls compliance are not necessarily followed. Layers of the system or components of the system are often left out. And changes are made for expediency sake, often to fix something else thats brokenwhich in complex systems is a quick way to screw things up.

Lawmakers gonna lawmake. techno-vampire predicts pointlessness:

Let me guess:At least 75% of any new regulations will either require cloud providers either to do things or stop doing things that are covered by existing regulations. And, most of the remaining 25% will either be useless, or so ambiguous that nobody will be able to tell if any company is following them or not. Thats because the only point of creating these new regulations will be so that the Administration can claim that they did something.

Meanwhile, u/fractalfocuser laughs and laughs and laughs:

Ohhhh lord this is too funny. Quick everybody! Put the cat back in the bag!

Funk Wash!

Previously in And Finally

You have been readingSBBlogwatchbyRichiJennings. Richi curates the best bloggy bits, finest forums, and weirdest websites so you dont have to. Hate mail may be directed to@RiCHiorsbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: DinkeyHotey (cc:by-sa; leveled and cropped)

Recent Articles By Author

Read the original:
White House to Regulate Cloud Security: Good Luck With That - Security Boulevard