US FTC Seeks Information on Cloud Provider Cybersecurity

The global shift into cloud computing may come under increased scrutiny by U.S. regulators following an announcement by the U.S. Federal Trade Commission that it is studying cloud industry market dynamics, including potential security risks.

See Also: Single Tool Security | Prisma® Cloud for Your Multi-cloud, Hybrid, and Microservice Environments

The oversight agency issued a request for information asking whether cloud providers use contractual or technological measures to entrench customers.

It also asks for public response by May 22 to questions such as what representations cloud providers make about data security and contractual divisions of responsibility for the security of consumer personal information stored in the cloud.

“Large parts of the economy now rely on cloud computing services for a range of services,” said FTC Chief Technology Officer Stephanie Nguyen.

Analysis from tech market research firm Canalys says total worldwide spending on cloud infrastructure is growing by double digits and reached $247.1 billion in 2022.

The top three providers – AWS, Microsoft Azure and Google Cloud – collectively accounted for approximately two-thirds of the total spend. Consolidation has been a fact of life in the cloud computing market for more than a decade, marked by incidents such as the 2013 failure of infrastructure-as-a-service provider Nirvanix.

“If it is a very high capital-cost industry, which I think it is, it could make sense to have a few major players, in which case you would want to have public utility rules to make sure there’s no discrimination at different layers of the supply chain,” said Matt Stoller, director of research at the American Economic Liberties Project, a Washington think tank that promotes aggressive enforcement of antitrust regulations. “There are a lot of open questions about this area,” he added.

The FTC in January finalized a consent order with education technology provider Chegg alleging the company exposed the sensitive information of millions of customers and employees. The company stored users’ personal data on cloud storage databases in plain text and used weak encryption to protect user passwords, the agency says.

A 2022 study of cloud customers by Thales, in which nearly 3,000 security professionals and corporate executives participated, concluded that cloud data breaches and failures are a common problem. Slightly less than half of survey participants acknowledged undergoing a breach or failed audit involving data or applications residing in the cloud. Slightly more than half agreed that managing privacy and data protection in a cloud environment is more complex than doing so on-premises.