The Cloud as Critical InfrastructureContemplating Regulations for Cloud Services Providers
When you think of national critical infrastructure, electricity distribution grids, transportation networks and banking systems come to mind. But cloud computing services?
Yet, the growing importance of public clouds, along with the ever-persistent threat on private and public sectors' infrastructures, is expected to result in the U.S. federal government declaring them a critical national infrastructure by 2016, according to information technology adviser Gartner.
"The popularity and increased adoption of cloud-based security services, albeit at different degrees, will influence the shape of future security marketplaces," Gartner Research Director Ruggero Contu says.
As federal lawmakers take up cybersecurity legislation in the new 113th Congress, the role of government in regulating the nation's mostly privately-owned critical IT infrastructure will resurface. In the last Congress, sponsors of the Cybersecurity Act of 2012 couldn't break a Senate filibuster because, in part, provisions that would have established a process for the government and industry to develop IT security best practices that businesses could voluntarily adopt [see Senate, Again, Fails to Halt Filibuster].
Business groups such as the U.S. Chamber of Commerce and the Business Roundtable have opposed any type of government-sponsored cybersecurity IT standards, whether they're mandatory or voluntary [see Partisan Showdown over Cybersecurity Bill and Arguing Against Voluntary Standards].
At the moment, sufficient votes don't exist to enact legislation to regulate the IT security of critical infrastructure owners. And even if they did, designating cloud providers as critical infrastructure would be highly unlikely. That's because cloud services haven't experienced the type of disruptions felt by other computer hosts.
Following the Data
But the economics of computing is changing, as more organizations turn to cloud computing to save money. And if that's where the data are flowing to, there's little doubt that the hackers will follow. If real damage to the economy can be caused by disruption to cloud services, lawmakers might reassess their attitude toward regulations. We're not there - yet.
Still, the Federal Risk and Authorization Management Program, or FedRAMP, requires providers to meet IT security standards if they want to furnish government agencies with cloud services [see Feds Explain How FedRAMP Will Work]. Lawrence Pingree, another Gartner research director, envisions public cloud services providers being required to meet FedRAMP or similar IT security standards.
"Security technology providers will need to prepare their technologies in order to address potential mandates for critical infrastructure protection of public cloud environments," Pingree says. "Providers that lack the ability to offer compliant security controls to address critical infrastructure protection mandates will likely face sales difficulties in cloud environments and may be filtered from shortlists based on emerging critical infrastructure protection requirements."
Pingree's final statement suggests that even without regulations, smart users will avoid providers that can't prove their offerings are secure. Government-established security standards, even if they can't be mandated, could serve as guidance for users to vet cloud providers.