Two years ago, the Carnegie Endowment launched the Cloud Governance Project, a multi-year study on the governance challenges associated with cloud computing. “This project recognizes that the cloud offers huge benefits for individuals, organizations, and national economies through greater IT convenience, flexibility, and cost savings,” said the project’s website. “However, the risks of a major disruption affecting cloud services will invite regulation by governments at the local, national, and international levels. Moreover, as the world grows increasingly dependent on the cloud, other aspects of the technology – related to consumer protection, sustainability, inclusiveness, and human rights – will also attract scrutiny and regulation to protect or advance public interests.”
I’ve been closely following cloud computing since it first emerged in the late 2000s. In 2008 I gave a talk at a conference on The Promise and Reality of Cloud Computing. Most everyone at the conference agreed that something profound and exciting was going on, but there was no real consensus on what cloud computing was. A major reasons for both the excitement and lack of consensus about cloud is that we were basically seeing the emergence of a new model of computing in the IT world, only the third such model in the history of computing. The mainframe-based centralized computing model first appeared in the 1960s. Then came the PC-based client-server model in the 1980s. The more recent internet-based cloud computing model emerged in the late 2000s.
Over the past fifteen years, cloud has gone through three major stages. First came infrastructure-as-a-service, offering near unlimited scalability at very attractive prices. Then came software-as-a-service, offering a faster and less costly way of prototyping and deploying innovative applications leveraging advanced tools like containers, Kubernetes, and microservices. Cloud computing has now become a major engine of business transformation, helping companies adapt to the accelerated digitalization of the economy, especially since the advent of Covid-19 in March of 2020.
In response to the pandemic, digital adoption by business and consumers has already reached levels that weren’t expected for many years. As a recent McKinsey article pointed out, cloud enabled Moderna to deliver the first clinical batch of its mRNA vaccine candidate for phase one trials just 42 days after the initial sequencing of the virus. And a 2020 NY Times article cited the experience of Accenture. Before the pandemic, no more than 10% of its 500,000 employees in more than 200 cities in 120 countries worked remotely on any given day, but, by the middle of March, nearly all were asked to work from home and the volume of video calls went up by a factor of six. The huge scalability of cloud computing was clearly a major factor in helping employees quickly adapt to near-universal remote work.
“The rising importance of cloud services and cloud service providers (CSPs) in society has caught the attention of policymakers and regulators seeking to reap the benefits of this new technology while managing attendant risks,” wrote the Carnegie Project in a comprehensive working paper on Cloud Governance Challenges. “The regulatory landscape of cloud computing is highly complex, owing to factors such as its rapidly increasing centrality to many societal and economic functions and continuous innovations in involved technology. Understanding the many issues emerging from this context will be critical to responsibly unlocking the potential of cloud services for society.”
The paper provides a comprehensive discussion of the governance challenges pertaining to cloud service providers (CSPs) and to the cloud services market as a whole These governance challenges are organized into five different areas, each focused on what the paper calls the basket of issues that applies to each particular area: security and robustness, resilience, consumer protection, prosperity and sustainability, and human and civil rights. Let me summarize a few key of the governance issues in each of these areas.
Security and Robustness “concerns the ability of CSPs to plan for, protect against, and actively defend against both security threats to cloud services from malicious actions, as well as other perils arising from naturally occurring incidents, technical malfunctions, and human-induced accidents.”
Key governance challenges include the allocation of responsibility and accountability for overall security between CSPs and their clients, including the protection of data and the underlying physical infrastructure; risk management practices such as systemic controls and operational defenses to protect against disruption of services and unauthorized access; and the requirement that data and cloud operations be stored and processed within a given jurisdiction to prevent their being compromised.
A related policy area is the designation of clouds as critical infrastructures, and that of CSPs as critical service providers which must meet higher risk management standards and are subject to increased scrutiny by the federal government. A number of major sectors that have already been designated as critical infrastructures are increasingly reliant on cloud services and CSPs for their operations, including financial services, energy, communications, and transportation systems. “Care must be taken in all cases to balance between transparency needs and the preservation of privileged information that is proprietary or critical to CSP security or business functionality.”
Resilience “pertains to measures taken to ameliorate the adverse consequences that may arise from service failures, disruptions, and other distortions to cloud-based services through contingency planning, backstopping, and insurance mechanisms.”
Governance challenges include measures to minimize the impact on CSPs and their customers of breaches, accidents or attacks, such as stringent backup regulations and enforcements; mandatory requirements for reporting any incidents in order to learn how to better prevent them in the future; requiring CSPs to have adequate insurance to cover physical or financial damages resulting from cloud failures; and the need of governmental backstopping measures in the event of potentially catastrophic incidents.
Consumer Protection “centers around concerns over the relationship between CSPs and consumers due to the asymmetry of power between them, as well as the oligopolistic nature of the CSP market.”
Governance challenges include the concentration of cloud power on a few large CSPs, which could leave users with few competitive choices and lead to lower quality of services, price gouging, and the risks of vendor lock-in; standards for cloud services that will enable interoperability and portability among CSPs and help prevent vendor lock-in; and fairness and transparency in contracting requirements to protect consumers against arbitrary decisions by CSPs such as changing the terms of their services and discontinuing support for products upon which consumers now depend.
Prosperity and Sustainability “focuses on the broader role and macro impact of the cloud in the domestic and international economic order, and policies aiming to leverage, channel, or redress effects on employment, growth, innovation, welfare, and the environment.”
Key governance challenges include ensuring equitable access to cloud services with broad economic impact, such as leading-edge technologies offered by CSPs like artificial intelligence; potential predatory CSP practices such as barriers to entry, market manipulation, and the bundling of cloud services to keep out smaller competitors; and dependence on foreign CSPs due to concerns about potential bias in service quality and reliability, sensitive personal and commercial information, intellectual property, and national security.
Human and Civil Rights “focuses on concerns arising from the cloud’s emergence as a huge depository of data and provider of increasingly essential services.”
Governance challenges include protection of the privacy rights and freedom of expression of individuals against overzealous government authorities; reporting and transparency requirements surrounding data collection and their use; restricting access to information containing individuals’ identity and vital information; and the need for political neutrality in access and content moderation.
“Overall, given how tough some of the policy and regulatory challenges are likely to be, many issues associated with cloud governance will likely be addressed only partially, slowly, and suboptimally,” notes the Carnegie cloud governance paper in conclusion. “The general lack of understanding and appreciation of the cloud and related issues by involved policymaking and regulatory authorities worsens this problem, highlighting the need for more robust education and engagement of relevant personnel (one of many goals of this document).” Additional discussions, as well as potential pathways forward can be found in the Carnegie Cloud Governance website.
Comments