Security News > 2021 > May > The Misaligned Incentives for Cloud Security

There, an Amazon Web Services cloud vulnerability, compounded by Capital One's own struggle to properly configure a complex cloud service, led to the disclosure of tens of millions of customer records, including credit card applications, Social Security numbers, and bank account information.

As long as a cloud provider isn't losing customers by the droves - which generally doesn't happen after a security incident - it is incentivized to underinvest in security.

Second, public information about cloud security generally doesn't share the design trade-offs involved in building these cloud services or provide much transparency about the resulting risks.

While cloud companies have to publicly disclose copious amounts of security design and operational information, it can be impossible for consumers to understand which threats the cloud services are taking into account, and how.

Policymakers can help address the challenge by setting clear expectations for the security of cloud services - and for making decisions and design trade-offs about that security transparent.

This effort to require greater transparency from cloud providers and exert more scrutiny of their security engineering efforts should be accompanied by a push to modernize cybersecurity regulations for the cloud era.

News URL

https://www.schneier.com/blog/archives/2021/05/the-misaligned-incentives-for-cloud-security.html