| | | The reference to Warren in the headline to this piece is mostly just clickbait. It explores a serious issue.
Elizabeth Warren’s move on Amazon over Capital One hack is a warning shot to cloud providers
Published Thu, Oct 24 20192:58 PM EDT Updated Fri, Oct 25 20192:17 PM EDT
Key Points
- The question of whether ubiquitious bank participation in a narrow set of cloud providers creates a systemic risk to the financial system is one regulators have been privately and publicly asking for years.
- Now the theory will be tested in public view, as Amazon has been asked to explain its role in a breach that occurred at Capital One on a platform built on AWS.
- It is another significant step toward a very public discussion of how cloud giants receive regulatory oversight, and another strategic move by legislators to highlight the “systemic” importance of cloud service providers to the wider financial sector.
Regulators have been asking for years whether banks’ use of a narrow set of cloud providers creates a systemic risk to the financial system.
Now the theory will be tested in public view as Democratic presidential candidate Sen. Elizabeth Warren, D-Mass., has asked the Federal Trade Commission to explore Amazon’s role in a recent security breach that happened at Capital One.
It is another significant step toward a very public discussion of how cloud giants receive regulatory oversight, and another strategic move by legislators to highlight the systemic importance of cloud service providers to the wider financial sector.
An arm’s-length relationship
In Capital One’s case, a former Amazon employee exploited a loophole in the configuration of the firewall for an application built on the cloud that allegedly allowed her to access personal information of 106 million Capital One customers and prospects.
As in most breaches that involve a cloud service provider, Amazon has sought to stay at arm’s length from the problem. Amazon told The New York Times shortly after the incident that its customers fully controlled the applications they built and that it had no evidence its services were compromised. Capital One also said the breach was the result of a misconfigured firewall within an application built on the cloud, not a flaw of the cloud service itself.
Keeping that distance has been in the interests of both the banks and the cloud providers. Banks build very complex infrastructure and vast information databases on the servers they rent from the providers, and because of a complicated global mix of privacy and cybersecurity rules, they want the fewest outsiders possible to have access to it.
Giving a third-party cloud provider such as Amazon, Microsoft or Google the ability to “fix things” at will, with full access to bank data, would expose the bank to security and privacy problems as much as it would expose the cloud provider to liability.
So instead, the preferred arrangement has been to give banks complete autonomy over what they build and run on these cloud services.
A question of systemic importance
But regulators across the Western world, not only in the United States, have been growing increasingly concerned about how a cloud security breach could impact the financial sector.
continues at cnbc.com |
|
