A newly released report on the cloud security from the Carnegie Endowment for International Peace includes some notable findings on the thing now underpinning how companies operate:
- By 2020, the overall cloud services market is expected to be $266.4 billion, a 17 percent increase compared to 2019 (Gartner).
- In reference to a number of breach cases impacting market leaders like Azure, AWS and Google Cloud, “cloud security thus far is a series of potential catastrophes narrowly averted”.
The report calls attention to the fact that cloud service providers (CSPs) are now critical infrastructure: “Calls for regulating CSPs have been growing amid concerns about the systemic risk of businesses’ move to the cloud. For example, a 2018 report estimates that a three-to- six-day outage of a major CSP would cause economic losses up to $15 billion (Lloyd’s and AIR Worldwide).” Yet, in the words of Rob Joyce, former chief of the Tailored Access Operations at the U.S. National Security Agency, “cloud computing is really just a fancy name for someone else’s computer.” But as the report points out, the public cloud of “thousands of “someone else’s computers” that compose it are concentrated in the hands of a few CSPs.
The cloud is the infrastructure that underpins the accelerated digital transformations of companies around the world. The economies of scale, speed, cost and efficiency gains it has afforded companies are unquestionable. Though companies that utilize cloud for an increasing share of operational functions are outsourcing a core function to CSPs, what cannot be outsourced is the responsibility to effectively protect the data and digital operations that run on the cloud.
The report rightly refers to the increasing call for CSPs to be treated like the critical infrastructure they are. As the report points out, a disruption to one of these providers could have a disruptive impact on companies that rely upon it, something we have called attention to over the past year:
Contrary to the report’s accounting of the financial impact of disruption events, operational disruptions are far more damaging that the figures companies disclose as a majority of the damage does not come in the form of regulator fines or lawsuits but rather in the lasting negative impacts on corporate balance sheets and shareholder value. ISS is only the most recent example of this trend.
Although the public and private cloud has no doubt advanced corporate IT security overall, cloud security is indeed a series of narrowly averted catastrophes, as the report notes. Investors would be prudent to understand how significant the downside financial risks are for companies if such an event occurs, and what measures are in place to minimize the likelihood of it happening.