The Public Eye with Eric Chabrow

The Cloud as Critical Infrastructure

Contemplating Regulations for Cloud Services Providers
The Cloud as Critical Infrastructure

When you think of national critical infrastructure, electricity distribution grids, transportation networks and banking systems come to mind. But cloud computing services?

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

Yet, the growing importance of public clouds, along with the ever-persistent threat on private and public sectors' infrastructures, is expected to result in the U.S. federal government declaring them a critical national infrastructure by 2016, according to information technology adviser Gartner.

"The popularity and increased adoption of cloud-based security services, albeit at different degrees, will influence the shape of future security marketplaces," Gartner Research Director Ruggero Contu says.

As federal lawmakers take up cybersecurity legislation in the new 113th Congress, the role of government in regulating the nation's mostly privately-owned critical IT infrastructure will resurface. In the last Congress, sponsors of the Cybersecurity Act of 2012 couldn't break a Senate filibuster because, in part, provisions that would have established a process for the government and industry to develop IT security best practices that businesses could voluntarily adopt [see Senate, Again, Fails to Halt Filibuster].

Business groups such as the U.S. Chamber of Commerce and the Business Roundtable have opposed any type of government-sponsored cybersecurity IT standards, whether they're mandatory or voluntary [see Partisan Showdown over Cybersecurity Bill and Arguing Against Voluntary Standards].

At the moment, sufficient votes don't exist to enact legislation to regulate the IT security of critical infrastructure owners. And even if they did, designating cloud providers as critical infrastructure would be highly unlikely. That's because cloud services haven't experienced the type of disruptions felt by other computer hosts.

Following the Data

But the economics of computing is changing, as more organizations turn to cloud computing to save money. And if that's where the data are flowing to, there's little doubt that the hackers will follow. If real damage to the economy can be caused by disruption to cloud services, lawmakers might reassess their attitude toward regulations. We're not there - yet.

Still, the Federal Risk and Authorization Management Program, or FedRAMP, requires providers to meet IT security standards if they want to furnish government agencies with cloud services [see Feds Explain How FedRAMP Will Work]. Lawrence Pingree, another Gartner research director, envisions public cloud services providers being required to meet FedRAMP or similar IT security standards.

"Security technology providers will need to prepare their technologies in order to address potential mandates for critical infrastructure protection of public cloud environments," Pingree says. "Providers that lack the ability to offer compliant security controls to address critical infrastructure protection mandates will likely face sales difficulties in cloud environments and may be filtered from shortlists based on emerging critical infrastructure protection requirements."

Pingree's final statement suggests that even without regulations, smart users will avoid providers that can't prove their offerings are secure. Government-established security standards, even if they can't be mandated, could serve as guidance for users to vet cloud providers.



About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.