Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Cloud Microsoft Google Oracle Security

US Plans More Regulations to Improve Cloud Security (politico.com) 12

Politico reports: Governments and businesses have spent two decades rushing to the cloud — trusting some of their most sensitive data to tech giants that promised near-limitless storage, powerful software and the knowhow to keep it safe.

Now the White House worries that the cloud is becoming a huge security vulnerability.

So it's embarking on the nation's first comprehensive plan to regulate the security practices of cloud providers like Amazon, Microsoft, Google and Oracle, whose servers provide data storage and computing power for customers ranging from mom-and-pop businesses to the Pentagon and CIA.... Among other steps, the Biden administration recently said it will require cloud providers to verify the identity of their users to prevent foreign hackers from renting space on U.S. cloud servers (implementing an idea first introduced in a Trump administration executive order). And last week the administration warned in its national cybersecurity strategy that more cloud regulations are coming — saying it plans to identify and close regulatory gaps over the industry....

So far, cloud providers have haven't done enough to prevent criminal and nation-state hackers from abusing their services to stage attacks within the U.S., officials argued, pointing in particular to the 2020 SolarWinds espionage campaign, in which Russian spooks avoided detection in part by renting servers from Amazon and GoDaddy. For months, they used those to slip unnoticed into at least nine federal agencies and 100 companies. That risk is only growing, said Rob Knake, the deputy national cyber director for strategy and budget. Foreign hackers have become more adept at "spinning up and rapidly spinning down" new servers, he said — in effect, moving so quickly from one rented service to the next that new leads dry up for U.S. law enforcement faster than it can trace them down.

On top of that, U.S. officials express significant frustration that cloud providers often up-charge customers to add security protections — both taking advantage of the need for such measures and leaving a security hole when companies decide not to spend the extra money. That practice complicated the federal investigations into the SolarWinds attack, because the agencies that fell victim to the Russian hacking campaign had not paid extra for Microsoft's enhanced data-logging features.... Part of what makes that difficult is that neither the government nor companies using cloud providers fully know what security protections cloud providers have in place. In a study last month on the U.S. financial sector's use of cloud services, the Treasury Department found that cloud companies provided "insufficient transparency to support due diligence and monitoring" and U.S. banks could not "fully understand the risks associated with cloud services."

This discussion has been archived. No new comments can be posted.

US Plans More Regulations to Improve Cloud Security

Comments Filter:
  • These people are not only stupid, they must be completely disconnected in addition. Experts have been saying that since the idea of the "cloud" became a thing.

  • To the whole c-suite! 1 scoop per customer breach. Come on down and meet your co-workers! It's OK if you didn't know. Here's some extra money from the taxpayers for that. Does everybody feel better now, great, now back slave-driving, you lil rascals.
  • More pointless KYC (Score:5, Insightful)

    by RegistrationIsDumb83 ( 6517138 ) on Saturday March 11, 2023 @04:44PM (#63362361)
    God, stop putting dumb know your customer id requirements on everything. All this is ever used for in practicality is to harvest and sell data.
  • The odds are that at least 75% of any new regulations will either require cloud providers either to do things or stop doing things that are covered by existing regulations. And, most of the remaining 25% will either be useless, or so ambiguous that nobody will be able to tell if any company is following them or not. That's because the only point of creating these new regulations will be so that the Administration can claim that they DID SOMETHING.

news: gotcha

Working...