The cloud migration: Why regulation matters

Representation of cloud computing
(Image credit: Shutterstock / Blackboard)

Regulatory bodies across the West are playing catch-up following the last couple of years of disruption. From tech-focused antitrust bills in the United States to the Digital Markets Act from the European Union, technology companies are facing mounting pressure to protect customer data and ensure user privacy, as the rapid migration to the cloud continues.

About the author

Sébastien Marotte is President of Box EMEA.

Top of the list of tech companies facing scrutiny are cloud service providers. With a record number of businesses migrating to the cloud due to the pandemic, regulatory bodies have rightly expressed concerns over the impact that outages and cyberattacks can have on Western economies. Therefore, considered and innovation-friendly regulation forms a key part of ensuring the next phase of cloud business is a success.

Many are arguing the series of cloud services outages that disrupted vendors such as Zoom, Hulu and Xbox Live back in December is testament to why regulation truly matters. In the wake of this, cloud service providers must work collaboratively with regulatory bodies to improve security and trust among customers. Ultimately, it is the cloud vendors with a longstanding commitment to security and compliance that will navigate this scrutiny most effectively.

The overnight digital transformation

Over the past couple of years, companies have been forced to reevaluate almost all of their operations and processes, from networking and communications methods to the way they store and share their data and content.

While the upheaval was inevitably unsettling, the resulting technological advancements have improved efficiency and reduced overhead costs for many businesses. According to a new McKinsey Global Survey of executives, companies have accelerated the digitization of their customer and supply chain interactions, as well as internal operations, by three to four years.

A central part of this digital acceleration was the increasing reliance on the cloud, with 60% of organizations moving their workloads online in 2020. This acceleration isn't expected to slow down anytime soon. Gartner recently forecasted that the enterprise IT market is expected to grow to almost $1.8 trillion as cloud computing takes hold.

Therefore, and for good reason, regulators are working with haste to ensure that order is maintained in the cloud sector, and are allocating significant resources to assuring public trust in digital transformation technologies.

However, as businesses have increased their trust and dependency on digital infrastructure, cyber criminals have spotted an opportunity to take advantage. In fact, 2021 saw a 17% higher average cost per cybersecurity breach than the previous year - and the highest of the last 17 years. The cost of breaches from remote workers averaged $1.07 million more than those that did not originate from remote devices. This is in large part due to dated infrastructure not providing the level of security that is required for remote work.

As such, businesses, regulators and cloud providers all have a duty to ensure that security is a priority as remote and hybrid work remains the norm.

The security risk posed by legacy infrastructure

Attacks on large scale businesses like Magellan Health, Marriott Hotels and the World Health Organization drew a lot of media attention in 2020 and led to questions around the speed and security of digitization. However, it is often legacy infrastructure rather than digitization or cloud systems that are placing businesses at risk.

While regulators can and should clamp down on cloud vendors that don’t operate in the best interests of their customers, organizations must recognize their own shortcomings when it comes to security. For instance, the widespread use of legacy systems should be a cause for concern in today’s security-first world. Often, these systems lack built-in security and firms are forced to tack on additional measures in an error-prone process. Similarly, because these systems are outdated, service providers and vendors often no longer support them. This means that if malicious actors figure out a way to target a weakness, there is no support from the vendor to fix this defect, leaving the company more vulnerable to a data breach.

In theory, cloud-first solutions with security built into the infrastructure should be inherently more secure. This is largely because these systems receive real-time updates and alerts, and engineering and operations teams produce patches and new features, ensuring that security vulnerabilities that arise can be fixed before any data is at risk. This flexibility and agility are built with the long-term in mind, meaning cloud vendors need to constantly iterate and educate to ensure their customers trust the solutions.

Additionally, cloud providers have ecosystems - networks of providers and solutions that integrate and connect. Together, the duplicative impact of those ecosystems often means that the integrated security provided is exponentially greater than most enterprises could afford. Together, vendors are continuing to innovate, giving the market new ideas and new ways to solve problems, which ultimately result in much more secure, integrated solutions.

Regulatory bodies are the solution, not the problem

The recent regulatory focus on the cloud sector is to be encouraged. Simply put, security and compliance must be a part of every digital solution’s DNA.

In the UK, for example, the Bank of England’s Prudential Regulation Authority is seeking to introduce more robust outage and disaster recovery tests to cloud providers involved in the financial services sector. Similarly in the US, the Senate Judiciary Committee is gearing up to deliberate the American Innovation and Choice Online Act, which would target the likes of Apple, Amazon and Google, while President Joe Biden has promised to work with the technology sector to "raise the bar on cybersecurity”.

But while service providers have instinctively pushed back against the newly proposed legislation, past regulation has been proven to help improve security and customer trust in the long term. For instance, it has been argued that the tech sector might try to pre-empt harsh privacy laws by writing their own - and while collaboration is key, it’s important to see regulatory bodies as part of the solution, not the problem.

For example, when the EU’s GDPR law was introduced in 2018, it set a precedent that the responsibility falls on businesses to protect customers’ sensitive data. Since organizations regularly gather personal data, GDPR put safeguards in place to better protect data from bad actors, as well as requiring organizations to protect the data that they gather from exploitation and misuse.

By providing people with greater control over their personal data and simplifying processes for businesses, GDPR has provided a framework for how companies should act when data breaches occur. As a result, consumer confidence increased by 62%, as people felt more in control of their data and privacy. Ultimately, the introduction of similar legislation for the cloud must be both challenged and accommodated to ensure that positive outcomes are achieved.

With a growing dependence on digital technology and the migration to the cloud, as well as the increased risk of cyberattacks, having regulations and guidance in place for businesses to follow if a vulnerability does occur will ultimately help re-instill customer trust. When it comes to the future of work and our migration to the cloud, regulation truly matters.

At TechRadar Pro, we've featured the best business VPN.

Sébastien Marotte is the President of Box EMEA. Over a 30+ year career, he’s held executive roles at some of the world's highest-profile software companies including Google, Hyperion, and Oracle.