Modern-day enterprises require cloud technology to support innovation, keep up with market demands, and meet evolving customer needs. At the same time, the digital security landscape continues to evolve with growing threats becoming more advanced and explicitly targeting cloud technologies. To meet these changes, cloud service providers are adapting to provide greater capabilities and enhanced security features.

 

Without taking action to address cloud trustworthiness, organizations may face significant risks to innovation and security. IBM has invested in developing capabilities that strengthen our customer’s trust in our cloud services. For example, IBM Cloud Hyper Protect Crypto Services offers “Keep Your Own Key” capabilities which allows customers to have exclusive key control. Only authorized users – no privileged users, including IBM Cloud administrators – have access to encryption keys. This means the customer controls who has access to their data while still leveraging the utility and benefits of the cloud.

 

Governments can and should act as well. Using the principles outlined below, cloud policies can enable technology trustworthiness, support digital transformation, and reduce unnecessary burdens and restrictions while empowering customers to make risk-based decisions.

 

1. Choice

Policies should take a risk-based approach to data privacy and security with a framework which enables enterprise users to make informed decisions on where and how to store, move, access, and share data. These decisions should be based on an organization’s risk appetite, specific-use cases, data type, business drivers, and security needs and not be required as part of cloud laws or security certifications.

 

2. Security

A “technical mechanisms”-first approach leverages tools for stronger data safeguarding and greater resiliency, such as users keeping full control of their encryption keys. Moreover, cross-border sharing of threat information and monitoring networks from various locations drives more positive security outcomes. Policies should also leverage existing globally recognized security standards and certification regimes to avoid duplication of effort and dilution of focus by unnecessarily diverting resources.

 

3. Trust

Enterprise users should be able to control and safeguard their data by leveraging strong privacy protections and tools, including encryption, without fear of government “backdoor” access. Policies should be clear that any government request for data should be directed to the user, not the cloud provider. Policies should acknowledge the differences between cloud service provider business models and tailor regulatory obligations proportionate to the risk level that data-driven business models pose to consumers.

 

4. Harmony

Preserving access to the world’s best technology, people, and data is essential to our collective prosperity. Policies should strike a balance between providing guardrails, enabling innovation, and ensuring access to cutting-edge technology. Moreover, policies should acknowledge that data is the engine of the global digital economy and enable the free flow of data across borders without residency requirements and by supporting bilateral/multilateral data agreements. Policies should also avoid conflicting with other nations’ law such that cloud service providers’ legal compliance in one country does not amount to a violation of law in another.

 

5. Future Proof

Policies should leverage new approaches – like an open, hybrid cloud – to be “tomorrow ready” and address needs such as technological divserity, service and data migration, and quantum computing. IBM supports policies that recognize shared responsibility, enable interoperability and data portability, and prioritize investment in migrating to industry-agreed standards for post quantum cryptography.

 

 

As usage matures, traditional cloud is no longer adequate. IBM is investing in the emerging needs of our customers with an open, hybrid cloud that leverages open source and governance – such as Red Hat OpenShift. Open source projects are invaluable to enterprises, providing interoperability, portability, and security – and by expanding clients’ growth and supporting their needs through access to developer and ecosystem resources. The ability to leverage public, private, IoT, edge computing, distributed cloud, and even multicloud solutions means organizations do not rely on a single vendor and have more flexibility and cost options.

 

IBM supports policies around cloud technologies and “technology sovereignty” that ensure the ultimate choice and control resides with the customer. Users should be able to take a risk-based approach to decide where, when, and how their data is used, stored, accessed, and moved. Forced localization by government intervention of any aspect of cloud computing – from the data to its storage, control, and management – may greatly reduce its security, resiliency, or cost.

 

As organizations continue to migrate to the cloud, trustworthiness will be an important topic. Organizations need a trustworthy cloud to provide assurance that new technologies and capabilities will enable digital transformation and accelerate innovation. IBM supports laws and policies that enable governments and industry to use trusted, state-of-the art cloud solutions, while not applying overly broad regulations which would restrict continuous improvements in technology.

 

 

 

-Howard Boville, Senior Vice President & Head of IBM Cloud Platform

 

 

 

 

 

 

 

-Mason Molesky, Cloud Policy & Cybersecurity Policy Executive, IBM

 

 

 

 

 

Share this post: