When we are looking at public cloud servers we are talking about three main companies: Amazon, Microsoft, and Google. These powerhouses control upwards of 80% of the market. On these public cloud servers, information is collected, pooled and accessed on demand by those who need it. When an end-user surfs the internet - be it to stream their favourite show, make a purchase or answer emails - these requests and associated data are being communicated back and forth with cloud servers. The supply chain which runs the global economy runs on these same cloud servers. 

 

With a monopoly controlling the public servers, a large outage - whether hostile or accidental - on AWS, the leading public cloud server, could shut off up to 38.9% of data and services operating within it. While end-users, be it an individual or company, are responsible for the security of their own applications; public cloud servers look at the big picture, notably, the security of the cloud infrastructure. 

 

Public cloud servers are set up to focus on resilience. They have multiple data centres dispersed across various regions, all working independently of each other. This structure minimises the impact of a cyberattack or outage from expanding beyond a singular region. Moreover, impact is minimised further through the use of cell-based architecture in the software utilised to run applications. Although servers have gone down in the past, they are limited in scale and quick to be addressed. So, what is the worry? 

 

Even a small incident can quickly spiral out of control. Consider the 2020 AWS outage in Northern Virginia. In November 2020, Amazon Kinesis crashed, causing an interruption that avalanched and affected the operations of a whole host of national and even international companies. Theoretically, these failures are limited to regions. Yet if a region of London, or Silicon Valley, or New York City were to go down, the wider impact to society or the economy are hard to estimate. Moreover, though regions don’t generally communicate with one another, Identity and Access Management (IAM) controls introduces the exception. When managing access permissions, regions talk to each other to determine who has access to which services. Identity and Access Management (IAM) controls ask users “Are you who you say you are” and “If you are, what can you do”. These controls run, not through a region or multiple regions, but across the entire cloud provider network. If the IAM control is unable to function, then users across the cloud would lose their ability to access services which store their data. Therefore, representing the single largest attack vector for cloud infrastructure. 

 

Despite this, there is still no specific cloud security regulation. The UK government spent £2.8 billion during the last financial year on cloud services. Yet, no direct cloud regulation, no push for change or security, is proposed. The problem here is the unclear lines of jurisdiction and responsibility. The global cloud computing market was worth USD$405.65 billion in 2021 and will continue to grow. It is critical then that authorities consider how cloud resilience is governed, prioritising legal regulations and enforcing them to ensure the risk of a potentially catastrophic crisis is reduced. Of course, the best means of effecting the change we need to see is through the collaboration of the public and private sectors. Held at Olympia London on the 27th - 28th September 2022, International Cyber Expo endeavours to be the go-to meeting place for industry collaboration, inviting vetted senior cybersecurity buyers, government officials and entrepreneurs, to software developers and venture capitalists. 

 

To register for FREE tickets to the event, visit: https://ice-2022.reg.buzz/e1