Cloud Security , Security Operations

Trump Orders IaaS Providers to Track Foreign Users

Under Executive Order, Cloud Providers Must Vet Foreign Customers
Trump Orders IaaS Providers to Track Foreign Users

In the waning hours of his presidency Tuesday, Donald Trump issued an executive order requiring U.S. infrastructure-as-a-service providers and other cloud service providers to maintain detailed records on foreign clients that could be used to help track down those committing cybercrimes.

See Also: Live Webinar | SolarWinds Breach: If Cyber Companies Can Get Hit, Do You Stand A Chance?

"In appropriate circumstances, to further protect against malicious cyber-enabled activities, the United States must also limit certain foreign actors' access to United States IaaS products," Trump said in a letter about the executive order.

The order amends Executive Order 13694 issued by President Barack Obama in 2015.

"Foreign actors use United States IaaS products for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through the legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities," according to Trump's executive order.

President Joe Biden has the power to revoke any previously implemented executive order. But a list of executive orders he was expected to sign Wednesday did not include the IaaS order.

IaaS Provider Requirements

The Trump executive order looks to close loopholes that allow cloud services to be bought or leased without proper vetting of the customer.

The order instructs the Department of Commerce to propose regulations that require U.S. cloud service providers to verify the identity of any foreign person who obtains an IaaS account. This includes setting minimum standards that U.S. providers must adopt to verify the identity of a foreign person in connection with the opening of an account or maintenance of an existing account.

Under the order, the Commerce Department must also set standards for the types of documentation and procedures required to verify the identity of any foreign person acting as a lessee or sublessee of these products or services.

The cloud service provider will be required to gather personal information on any foreign person or entity setting up an account, even if it’s intended to be a complementary or trial offering, the order states.

Implementing the Order

The order also requires the attorney general, the secretary of the Department of Homeland Security, the Commerce Department secretary and other department heads to solicit feedback on how to increase information sharing and collaboration among cloud service providers and other federal agencies.

The agency heads must then prepare a report with recommendations for information sharing between the government and IaaS providers, including reporting of incidents, crimes and other threats to national security.


About the Author

Doug Olenick

Doug Olenick

News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to joining ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.